PDF static analysis report

Static analysis result for SHA-256 75d517031bb73a83…

SUSPICIOUS

PDF

35.8 KB
MD5: c26f54f33fcab76b177ad7a95be60273 SHA-1: fb3d33c2aa1fb76d75bb0492abfc159946acdd54 SHA-256: 75d517031bb73a83024582b8845ff4103bff2aeb6f6d5c303af4fa2d775a6b1a
56 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains multiple embedded files and an embedded script payload, strongly indicating an attempt to deliver a malicious payload. The ML classifier assigned a very high probability of maliciousness. While the specific exploit or payload is not detailed, the presence of embedded content and scripts suggests an attack pattern involving exploitation for client execution, likely delivered via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
6a7b1391f942685f8737fe09cc965d327a0f8d4dc91f944f3faa78db46f4f7c8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x138 671 bytes
embedded_file_obj0010.bin
4211ca79ab65920278a17137e75139e0c9901a35150e659dce24e11f39830d25		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x41C 150 bytes
embedded_file_obj0011.bin
919311c4f3a5f8d631c55fffd296ccf550fdb5d7b4350edc85e72b711cfc5686		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x4F7 437 bytes
embedded_file_obj0012.bin
072090be5ea6c4a216543a1d4332d27d322264f3038bbd986db2a09048143a1c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F1 181 bytes
embedded_file_obj0014.bin
6bd545dcbb368b243478f40a2ebd76887c950f2367dbd61b4267c60e64ea7a4b		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7EC 33985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.