Malicious PDF — malware analysis report

Static analysis result for SHA-256 8257d9d19a20da26…

MALICIOUS

PDF

28.5 KB First seen: 2026-05-08
MD5: 8b1e9bbc19a5353e76c056f8cdea5760 SHA-1: fa06f45e0c7cd5d6524bbdb4e2f78741f37cb255 SHA-256: 8257d9d19a20da26465e71ee93c0cf3191b0748ee3ac2663dd67659f324a250e
76 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded script payloads and PRC/3D content, strongly indicating it is designed to exploit vulnerabilities for client execution. The ML classifier also flagged it as malicious with high confidence. While specific delivery vectors are not detailed, the nature of PDF exploits often points to spearphishing attachments.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PRC/3D content in PDF medium CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xCA 46 bytes
SHA-256: 0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x153 237 bytes
SHA-256: 0198cadf37c41332ccef55cb6cdba8a607954abe96ea35b5f7a442a0f4d93e66
embedded_file_obj0001.bin pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x532 27304 bytes
SHA-256: 249531a05c8cde7edfb72b08be71397163ba672ea548202004db1da6deb2b375