Malicious PDF — malware analysis report

Static analysis result for SHA-256 634b8674f268d35c…

MALICIOUS

PDF

4.6 KB Created: 2011-03-17 02:38:08 Authoring application: ods cor First seen: 2026-05-09
MD5: c7667118d338274970eda5ed1de2e016 SHA-1: 10d6963ba0fb73f45fb04a321f1e95a1be6ab609 SHA-256: 634b8674f268d35cdb034f9bf98209cdbd9d097ce456febd915089976449dcf8
68 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF document flagged by ML classifiers as malicious, with heuristics indicating embedded files and XFA forms, common vectors for exploit delivery. The presence of embedded files suggests the PDF is designed to drop and execute a secondary payload. While no specific family is identified, the exploit and delivery method point to a targeted attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0018.bin pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x898 84 bytes
SHA-256: d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x949 228 bytes
SHA-256: 24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0
embedded_file_obj0006.bin pdf-embedded-file PDF EmbeddedFile object 6 at offset 0xA39 199 bytes
SHA-256: c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460
embedded_file_obj0015.bin pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xB2B 172 bytes
SHA-256: ce48e2f31219eea89becd02b62c15989325bb0c5796ef1171537e8f3641505a4
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xC08 77 bytes
SHA-256: e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876
embedded_file_obj0010.bin pdf-embedded-file PDF EmbeddedFile object 10 at offset 0xCAF 56 bytes
SHA-256: 92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a