Malicious PDF — malware analysis report

Static analysis result for SHA-256 55c589125b6660f5…

MALICIOUS

PDF

35.7 KB
MD5: ada5eb4680ddc340ee6d66abcbeb858e SHA-1: a5f9c3e67c95ce5220ba82f7cd5a95f127fb8f95 SHA-256: 55c589125b6660f50331da9a1fc2de5e2782c4e0d248702bb8ae5dc94b629e78
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Attachment T1566.002 Phishing: Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file was flagged by an ML classifier with high confidence (0.999991) and exhibited multiple heuristic firings indicating malicious intent, including embedded script payloads and embedded files. The presence of XFA forms and embedded files suggests an attempt to leverage PDF features for malicious purposes, likely to deliver a secondary payload or exploit a vulnerability. No document body text was available for analysis, and the embedded URLs were not directly indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
486addfd068f9b87be09f6e7850edf48a4fc1ad2a68c1f65ff5274cbf63e1a0f		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x138 671 bytes
embedded_file_obj0010.bin
b02ddc39d3767e9164dc1e4e83f4df80cfa43e9188f3ce51f4505ff391d43976		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x41C 150 bytes
embedded_file_obj0011.bin
919311c4f3a5f8d631c55fffd296ccf550fdb5d7b4350edc85e72b711cfc5686		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x4F7 437 bytes
embedded_file_obj0012.bin
072090be5ea6c4a216543a1d4332d27d322264f3038bbd986db2a09048143a1c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F1 181 bytes
embedded_file_obj0014.bin
0244ea95cf110e403670be4248c5f8bcdcfec926bde4235cc326c761d246abd7		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7EC 33874 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.