Malicious PDF — malware analysis report

Static analysis result for SHA-256 4230a0f3e5e89265…

MALICIOUS

PDF

654.2 KB First seen: 2026-05-08
MD5: 9245400367ab54106fb1aedfb54d678a SHA-1: bbefbc5d4e3579400891a1b5e5a1b93bf5d2b508 SHA-256: 4230a0f3e5e8926570376441df498a0916e30aa972a2ab4770e728db7cac138e
88 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple suspicious characteristics, including embedded files and JavaScript actions. One embedded file, 'embedded_file_obj0003.bin', is particularly large and flagged as a potential payload. The presence of JavaScript and embedded files strongly indicates an attempt to download and execute a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7298

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.services-publics.lu/assistants/public-defo?ECITIZ_ACTIVITY_PATH=Usager&amp;ECITIZ_PROCESS_ID=MULT-DEFO&amp;FORM_TYPE_ID=PARQUET_CASIER Referenced by PDF JavaScript
    • http://w.evcspbisl/sitnspbi-eoEII_CIIYPT=sgrapEII_RCS_DML-EOapFR_YEI=AQE_AIRReferenced by PDF JavaScript
    • http://wwsrie-ulc.uassat/ulcdf?CTZATVT_AHUae&mReferenced by PDF JavaScript
    • http://ocsp.verisign.com0Referenced by PDF JavaScript
    • http://www.monotype.comMonotypeReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xfdf/In PDF document text

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin pdf-embedded-file PDF EmbeddedFile object 1 at offset 0xD48 163 bytes
SHA-256: f89a7ea6f4981982f79e1dd7c260b7decca329425592bbceb6e836233432db38
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xE39 1865 bytes
SHA-256: c0ff34361d0f29dcf5b32f3663cf7871be6743314472ab36e1bf697e48fe37ef
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1186 302323 bytes
SHA-256: 9a972ab3aba9719910bb3c83b7bf26b7cd75c337346f0a73f6b9f075d2a67b90
Detection
ClamAV: No threats found
Obfuscation or payload: likely
4465 of 7309 identifiers look randomly generated (e.g. 'CHUAAHISN5AWcb6vlRwA0Fqx2IpwZ7PZKAZcYT6f'); 59 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0004.bin pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x2A815 5615 bytes
SHA-256: bae54e3600ae615bf3fb783f9d056684ba872ac2166c4eb2a68ca4ee68db1598
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x2ABC2 568 bytes
SHA-256: 81920c6b4f4d3d48e7fa787b9ce1f7263749d557524beaf1523eff625319769f
embedded_file_obj0006.bin pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2AD13 121 bytes
SHA-256: 90938f9e3cdf6db2eeee31ed7c949f3b0952b799b670df73d2e56d31bfcc8d34
embedded_file_obj0007.bin pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2ADD0 1535 bytes
SHA-256: 57284e035654e7e3d8dd0c3b32b4f90b83779138adce9ca2dbded5b9d36ce021
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x2B095 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
stream_002_off0000034d.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34D 1313 bytes
SHA-256: f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf
stream_003_off0000052b.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52B 902 bytes
SHA-256: 1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd
stream_017_off0003b48f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B48F 367087 bytes
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa
stream_018_off0006dca2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6DCA2 352198 bytes
SHA-256: 1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315
objstm_0042_00.bin pdf-objstm-decoded PDF /ObjStm 42 0 obj (inflated) 592 bytes
SHA-256: 44021cf6079418bf15b3a212398ffc33521d4e37c0e5f94d11dc29851b20f352
font_00_sfnt_off0002b1ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B1AB 95975 bytes
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949