Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b853dd8901bfddd…

MALICIOUS

PDF

33.5 KB
MD5: b68ca2daa7f0bc3b43391e123757e13e SHA-1: c2f93a46e00574e2eaeefac0654f70ab93b67c74 SHA-256: 5b853dd8901bfddd6bd95b6312b71bc5f936c7fca329a33c8ab5183cbb097884
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file identified as malicious by ML classifiers and ClamAV, specifically flagging obfuscated objects and embedded script payloads. The presence of embedded JavaScript, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic, suggests an attempt to execute code. While the document body is heavily obfuscated and unreadable, the embedded JavaScript is the primary indicator of malicious activity, likely serving to download and execute a further stage. The benign URLs extracted are likely unrelated to the malicious functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9922

Heuristics 5

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0000005d.js
3700629240743957415dd42948deafeb57c66c154ccded8f5944b9ca89683bb2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D 8811 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.