Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ac8681280cd6ccb…

MALICIOUS

PDF

134.2 KB First seen: 2026-05-08
MD5: 65cb758ce827fbd51d82f9bbc6b35bfe SHA-1: 190b54100f5c1e5968f40c22569e450e19cf9b41 SHA-256: 3ac8681280cd6ccbba29c79c1631ee1150af9a4db457143906802e73199cb29b
86 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF exhibits multiple indicators of malicious intent, including embedded files and JavaScript actions. The presence of 'PDF_EMBEDDED_SCRIPT_PAYLOAD' and 'EXTRACTED_FILE_STATIC_TRIAGE' with a long encoded blob points to the delivery of a secondary payload. The embedded file 'embedded_file_obj0003.bin' is likely the payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9195

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.umwelt-luzern.ch/gesuchsformular_holzenergie_ab70kw.pdf Referenced by PDF JavaScript
    • http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/319_Heizkessel_QS.pdfReferenced by PDF JavaScript
    • http://www.holzenergie.ch/fileadmin/user_resourcesqualitaetssiegel_lrv_opair/319_Heizkessel_QS.pdfReferenced by PDF JavaScript
    • http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/319a_QS%2BMinergie_WohnraumHabitation.pdfReferenced by PDF JavaScript
    • http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/Referenced by PDF JavaScript
    • http://www.adobe.com/products/acrobat/readstep2.htmlReferenced by PDF JavaScript
    • http://www.adobe.com/support/products/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.w3.org/2001/XMLSchema-instanceReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
    • https://forms.lu.ch/soap/services/ENFAReferenced by PDF JavaScript
    • https://forms.lu.ch/soap/services/ENFA?wsdlReferenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.adobe.com/supporReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://ns.adobe.com/data-description/Referenced by PDF JavaScript
    • http://schemas.xmlsoap.org/soap/envelope/Referenced by PDF JavaScript
    • http://adobe.com/idp/servicesReferenced by PDF JavaScript
    • http://www.w3.org/2001/XMLSchemaReferenced by PDF JavaScript
    • http://ns.adobe.com/xfdf/In PDF document text

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x58 1856 bytes
SHA-256: c8a41472743d3d9fa27bd273882940194d1d7c41fccefa703955b9d4d1bf1581
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3BD 411001 bytes
SHA-256: 7a924b420a6a8fe6be5ab7968e1910bffed53b9f6c60e05db642a907d9be4fc6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
1397 of 3149 identifiers look randomly generated (e.g. 'A000B000C000F001000110012001300140015001'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 4 long base64-like blob(s).
embedded_file_obj0004.bin pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1AA62 2920 bytes
SHA-256: 0cc1acb568122b202bf53805b12af93620ac5985e50247b10a974e6e1d27ad41
embedded_file_obj0007.bin pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1ADDE 640 bytes
SHA-256: 2ac6dae4fac82721331c9e44dc903d0c773402198ff52d5b347d79af636e20f1
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1AF5F 29525 bytes
SHA-256: 708184c3756f474163a7dc27c006d265992f62c1eabef6b340d7c91a4b8aeac8
embedded_file_obj0009.bin pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x1BA61 1535 bytes
SHA-256: 642ebd21fa554fcf77fe3ed46ebeed5f4ee1777b99b4d17a848c825cbf9e4c0f
embedded_file_obj0010.bin pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x1BD24 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
embedded_file_obj0056.bin pdf-embedded-file PDF EmbeddedFile object 56 at offset 0x1D6BE 162 bytes
SHA-256: 6fa3678fdee168a7a81fb992dc3a271bddcc1ae903903c1d80edfc762841b917
embedded_file_obj0057.bin pdf-embedded-file PDF EmbeddedFile object 57 at offset 0x1D7B0 3190 bytes
SHA-256: bd501d2978cc5fb162d9ddf036631cf7646265c33d9f96d9f43edefb556d179d
embedded_file_obj0058.bin pdf-embedded-file PDF EmbeddedFile object 58 at offset 0x1DAC0 13903 bytes
SHA-256: 50db296bdef43ae87dd8badb2b5ba77c68e84ca54fbae87cd389e5d7cd3cf3ff
stream_007_off0001ce3e.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CE3E 1313 bytes
SHA-256: f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf
stream_008_off0001d01d.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D01D 902 bytes
SHA-256: 1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd
objstm_0060_00.bin pdf-objstm-decoded PDF /ObjStm 60 0 obj (inflated) 7043 bytes
SHA-256: 4213c9e4343812c40120dd8ec0a9d1fe37d621b99c7135cedd524a0692e6ea40