PDF malware analysis — malicious · 4ab8cbec7fc7899c

MALICIOUS

PDF

30.0 KB

MD5: 1a9344980fe2e1a08853113adcee751f SHA-1: f104daaf52a96ccbc4bf1e98af4b3e932876b62f SHA-256: 4ab8cbec7fc7899ca5eeb0eb4f7a3ece3bb4b89db2706c6d3d952025a1ce922e

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

This PDF document contains embedded JavaScript, indicated by the PDF_EVAL and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics. The ML classifier also flagged this PDF as malicious with a high score. The embedded script likely attempts to download and execute a second-stage payload, as suggested by the presence of embedded files and the nature of the PDF_EVAL firing. The specific embedded file 'embedded_file_obj0010.bin' is flagged as a suspicious extracted artifact.

Machine Learning

Nyx PDF Classifier malicious score 0.9969

Heuristics 7

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/1.0/
- http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0008.bin` `04462f810d6eacdacecc9d0a5f3f81bebc722af4415e04da19b520338f642b51`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0xD7	67 bytes
`embedded_file_obj0009.bin` `e2e0f6c5cb2e0b2697da89386bfc3718eedaf1b6a2b1d24dd1176d27117bf77a`	pdf-embedded-file	PDF EmbeddedFile object 9 at offset 0x162	781 bytes
`embedded_file_obj0010.bin` `76e71e452338d7384967dbf3b8d5c06bea128714940cb02957dd801959b08deb`	pdf-embedded-file	PDF EmbeddedFile object 10 at offset 0x4BA	87 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`embedded_file_obj0011.bin` `318d2a2dfbcab77904cbde36b6cf05a7b7f08582f80bc41db71aab6cf08f168f`	pdf-embedded-file	PDF EmbeddedFile object 11 at offset 0x55C	5954 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.