Malicious PDF — malware analysis report

Static analysis result for SHA-256 4be009e96b67f242…

MALICIOUS

PDF

13.0 KB
MD5: d6b07e070ec65b49a91a664c5d669b6f SHA-1: d47c4650840458d0418bcedd0a7d9a0b8885d93e SHA-256: 4be009e96b67f24284315094b4d881c0afe3a1ed7b9b100de2b5514053ab16f4
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains an embedded script payload, indicating an attempt to execute malicious code. The presence of XFA form elements and embedded files further suggests a complex attack vector. The embedded URLs, while not directly malicious, are part of the document's structure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000305.bin
57449aee625d168afdb9962a5a9ea9eb7762fe07a243b38cf0a57e63716d3099		 pdf-embedded-script PDF decompressed stream script payload at offset 0x305 13354 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.