Malicious PDF — malware analysis report

Static analysis result for SHA-256 45865cba618a78b4…

MALICIOUS

PDF

13.4 KB
MD5: 05a07ec9dbf7512d15d53acf5686edce SHA-1: 6e73802e309aa38b2aec024119a73bd4325ac955 SHA-256: 45865cba618a78b43f6f2d84d6ff16f8fdbe593195dd8d07a5465244b5b80a40
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

The ML classifier strongly indicates this PDF is malicious. The presence of an embedded file and an embedded script payload suggests it is designed to execute malicious code or exploit vulnerabilities upon opening. The embedded URLs, while not directly malicious, are part of the PDF's structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
9ea4933daec26e297ac389953be7648f869bca0cd4c3dfea0b0a513349a3273f		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 13022 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.