Malicious PDF — malware analysis report

Static analysis result for SHA-256 456335249ad2b572…

MALICIOUS

PDF

966.2 KB First seen: 2026-05-10
MD5: 6e35aab6293a595df3a5c3de80fe6ddb SHA-1: 4415a797edcd39029d02ed0bf35203d21122665c SHA-256: 456335249ad2b5726a7534375239f7625427853a7ab94c5f5180998b40b62bd2
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple indicators of malicious intent, including embedded files and JavaScript actions. The presence of embedded script payloads and extracted files like 'embedded_file_obj0003.bin' strongly suggests that this document is a dropper or downloader for further malicious content. The benign reputation of all extracted URLs indicates that the primary threat lies within the embedded artifacts rather than external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9776

Heuristics 7

  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eblanketter.standard.no/Modules/Document/formhandler.aspx Referenced by PDF JavaScript
    • http://ocsp.verisign.com0Referenced by PDF JavaScript
    • http://eblanketter.standard.no/Referenced by PDF JavaScript
    • http://eblanketter.standard.no/FormServerReferenced by PDF JavaScript
    • http://www.adobe.com/products/acrobat/readstep2.htmlReferenced by PDF JavaScript
    • http://www.adobe.com/support/products/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/CSPCA.crt0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/tspca.crt0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.adobe.com/supporReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfdf/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfdf-transition/Referenced by PDF JavaScript
    • http://ns.adobe.com/data-description/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.w3.org/2001/XMLSchemaIn PDF document text

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xDB8 1526 bytes
SHA-256: 637dbe9907624321eb82c8a96f4167de9faf5a155390f9141d10dea3362e6046
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x10A9 228315 bytes
SHA-256: 5ace6fdb557bd6e0b2248263f50edb142ec0bd9438661823924c2f5266534d3e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x4CDD 2936 bytes
SHA-256: c85e8e9965050a43770fe24075fa3403deb5f55adcb0b7afeeed3ec9af9f4c13
embedded_file_obj0006.bin pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x5053 200 bytes
SHA-256: 4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5
embedded_file_obj0007.bin pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x5146 324 bytes
SHA-256: 6a0b0a12b186a4a605fb6002a7f9a12c6460c738af88fa0afa49ca882e735ac9
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5263 7062 bytes
SHA-256: 00b402f5ccb4f389aec78364db32b06960fbf4282bc4a6b560eba299c9599bc4
embedded_file_obj0009.bin pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x5612 1539 bytes
SHA-256: 004372caf9fd2c8f1139bad13f8fa360649cc677d9219d56147dd11a4cfee24e
embedded_file_obj0010.bin pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x58CF 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
embedded_file_obj1106.bin pdf-embedded-file PDF EmbeddedFile object 1106 at offset 0xF0D9F 85 bytes
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb
embedded_file_obj1107.bin pdf-embedded-file PDF EmbeddedFile object 1107 at offset 0xF0E55 10483 bytes
SHA-256: 042ea718bdafb0844f350f3767f6f1bbb63e865ece850e11b14c03b786398654
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj1108.bin pdf-embedded-file PDF EmbeddedFile object 1108 at offset 0xF1592 96 bytes
SHA-256: 5d8a3ab00ece2d8abbcbcf12f41b89e2dc3f2d3e27f1524308149f9bff5eee23
stream_013_off00016dd3.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16DD3 1532 bytes
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8
stream_014_off00016fbe.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16FBE 870 bytes
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb
stream_016_off000173ef.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x173EF 774454 bytes
SHA-256: a2f39801573572e0f61a4271f9b1bbecd0f78b8a37964dcaea5400d2b85aa2f6
stream_017_off0008549e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8549E 751077 bytes
SHA-256: 0a8b85bdca6d171b1b108b09d6edf274eb23bb01c675c3881a878729e7b400d9
objstm_1110_00.bin pdf-objstm-decoded PDF /ObjStm 1110 0 obj (inflated) 2301 bytes
SHA-256: 95f9b5c698df9896512fd5669a385c5bc75f53c3ee908ba91b55387c67a35cfe
font_00_sfnt_off00005979.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5979 95975 bytes
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949