Malicious PDF — malware analysis report

Static analysis result for SHA-256 68ef656d9b20830a…

MALICIOUS

PDF

70.7 KB First seen: 2026-05-08
MD5: 3553c49093f379de39511a71c7346cf9 SHA-1: db010594798596f50466e082757b8037f7ea139f SHA-256: 68ef656d9b20830a3cdfc4624e9103c98a5593a61c9761dbc562b9939522f20e
88 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document utilizes XFA forms and embedded files, flagged by heuristics indicating potential exploit activity and a malicious ML classification. The embedded stream likely contains a second-stage payload, suggested by the 'Shellcode candidate region' signal. The primary IOC is the suspicious URL embedded within the document, which is likely used to download and execute the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://211.154.153.49/Rrotj8YyvOc5HSxdiNzrTPeBu4Ky4a1K?pp=1&x=8,1,0,137&a&s=lib1�� In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.4/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x55E 8076 bytes
SHA-256: 5d13059ee3de255bf09b3ee025bb10a1d3923d208deebb932797a0936b9b235a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C
stream_000_off0000005b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B 12052 bytes
SHA-256: 90cbe026f44949332ac19e4acb40fd6c8b21842e6ea02fec7c09eb31c1785275
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.