Malicious PDF — malware analysis report

Static analysis result for SHA-256 80d69c185929669a…

MALICIOUS

PDF

29.8 KB
MD5: d10a3fbae667ce1731c0c68420ff60ff SHA-1: a24cc67dd39bbd47bf47d19bcbbe5111a12b7503 SHA-256: 80d69c185929669a1ad86033a479dde6d71db83c3b876ab115f23ea3beff017f
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059 Command and Scripting Interpreter

The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of an embedded script payload within a PDF stream, suggesting an attempt to execute malicious code. The file also contains embedded URLs, one of which is of unknown reputation, potentially serving as a lure or download source.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9945

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000002dc.bin
6c4a9707c6f20f466a027fed5db5d127c7239be4efe60705f03d8778e3a31121		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2DC 26708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.