PDF malware analysis — malicious · 39f45ec9b3149cb0

MALICIOUS

PDF

6.1 KB Created: 2010-05-09 10:31:43

MD5: 1058dee1704507cad360260a127ecf7e SHA-1: 0567cf50d6d8da110fcb1fdf167eb411755d4ad4 SHA-256: 39f45ec9b3149cb0edb6f790a6385ffb9b4b8ac68f9a4b7404153b460789bd3d

108 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File T1055 Process Injection

The PDF file contains an OpenAction trigger at offset 0x707, indicating it's designed to execute code upon opening. Additional heuristics suggest the use of XFA forms and ASCIIHexDecode filters, common in PDF exploits. The ML classifier strongly flags this as malicious. While no specific document body content or scripts were extracted for direct analysis of user-facing lures, the presence of exploit-related triggers points to a likely attack pattern involving the exploitation of PDF reader vulnerabilities.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Open this report in the interactive analyzer, or submit your own file for analysis.