PDF malware analysis — malicious · 8aa7df39e9ee86d5

MALICIOUS

PDF

5.5 KB

MD5: 96709edf5487a3050ae3553055ac83b4 SHA-1: f65141b23960b26c5230f2937692853940ff9281 SHA-256: 8aa7df39e9ee86d52857c2a1ccff5c1b921679e9efa643681ae13a56d7f55d15

158 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF sample contains multiple high-severity heuristics indicating the presence of executable script content, including PDF_EVAL and PDF_XFA_SCRIPT. The embedded script payload, identified as embedded_file_obj0010.bin, is likely responsible for downloading and executing a second-stage payload. The use of XFA forms and embedded files suggests a delivery mechanism designed to bypass standard PDF security measures.

Heuristics 7

XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT

PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0008.bin` `ef62e46517e0ab9128be5d63feaf817466470f1173e71e6b58c21218c5c2f3c8`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x33A	47 bytes
`embedded_file_obj0009.bin` `101ba7115e4b42f8f582812aa8c52e1372a145b22f143ddc24dfad027378eef6`	pdf-embedded-file	PDF EmbeddedFile object 9 at offset 0x3C6	229 bytes
`embedded_file_obj0010.bin` `7faf410a8d245f7657922c5241d1d674e4217ffae1acb2d02a3929655ac430fe`	pdf-embedded-file	PDF EmbeddedFile object 10 at offset 0x4B8	1744 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`embedded_file_obj0011.bin` `e1c68077d11dccab0579be0ccb04561b7f732fa1883680eef6e55b9e9477fe22`	pdf-embedded-file	PDF EmbeddedFile object 11 at offset 0x79F	200 bytes
`embedded_file_obj0012.bin` `5fa03346e7c72ab966dcda87eb727d7cc7ec36552b9e3179eca763166679d4a5`	pdf-embedded-file	PDF EmbeddedFile object 12 at offset 0x893	17281 bytes
`embedded_file_obj0013.bin` `863fe193664516f0db42fd686d863a1b9cad88d3d0cb37f8d2f8497979368f02`	pdf-embedded-file	PDF EmbeddedFile object 13 at offset 0x11BB	78 bytes
`embedded_file_obj0014.bin` `92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a`	pdf-embedded-file	PDF EmbeddedFile object 14 at offset 0x1263	56 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.