Malicious PDF — malware analysis report

Static analysis result for SHA-256 389e3e0aa8d04b4b…

MALICIOUS

PDF

13.4 KB
MD5: 19a967e71ffb690cd2aa82770576ec37 SHA-1: 79c58b494b6ea22a3b05403f1746a91ee9d8bdfd SHA-256: 389e3e0aa8d04b4b5dea5073911d494d80b2eabfa2dbd9f8b766f7ce91e6cbad
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

The PDF was flagged as malicious by an ML classifier with high confidence. It contains an embedded script payload and an embedded file, indicating it is likely intended to deliver a secondary exploit or malware. The presence of XFA form elements also suggests a potential vector for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
1a69d4f1a4b0c2e77b73544c065591b7a05c85e2bf2193102719c4eb9cf36e29		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xD1 12982 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.