Malicious PDF — malware analysis report

Static analysis result for SHA-256 6538290131f20f20…

MALICIOUS

PDF

15.9 KB Authoring application: Ncnjqjdfgz Oklbqmtu First seen: 2026-05-08
MD5: 23ddb10660717536d1251051b9858468 SHA-1: 4df796f486e3103032b3cae04210d6b08ce28194 SHA-256: 6538290131f20f20409f0f3856dd7d0f2b7b662aad67e26a77268a5acc57c084
72 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains malformed active content streams and embedded scripts, indicating an attempt to exploit a vulnerability. The ML classifier strongly flags this PDF as malicious. The embedded script likely attempts to download and execute a second-stage payload from the identified suspicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www2.thebest-yirscanner.Kwik.To/?pqt9rw965=lNThna%2FcsZtb6dHJn5qoq1%2Bf3ebfoJifppqoo9alcqvYX6qosZmYlJippGaroqaZz9SroJmjltLWm%2BS0i4qAmtjOxqKmmqCd&quot;;function In PDF document text
    • http://www2.thebest-yirscanner.Kwik.To/?pqt9rw965=lNThna%2FcsZtb6dHJn5qoq1%2Bf3ebfoJifppqoo9alcqvYX6qosZmYlJippGaroqaZz9SroJmjltLWm%2BS0i4qAmtjOxqKmmqCd&quotIn PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x35D 15177 bytes
SHA-256: 64011a5e2e6c4b2c9cf9bf66e2a5917b7d540d5ef3488ddc29bc54286aeba4b6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
109 of 211 identifiers look randomly generated (e.g. 'Bf3ebfoJifppqoo9alcqvYX6qosZmYlJippGaroq') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).