MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1059 Command and Scripting Interpreter
The PDF file contains an embedded script payload and a launch action, indicating an attempt to exploit vulnerabilities. The ML classifier strongly flagged this PDF as malicious. The embedded script likely attempts to download and execute a second-stage payload from one of the unknown reputation URLs. The XFA form suggests a more complex, script-driven attack vector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9955
Heuristics 4
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xakepy.cc/index.php
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00000642.bin65f195d95793559c962825531c00c26658edca8e631c201a0e879b629e00f543 |
pdf-embedded-script | PDF raw stream script payload at offset 0x642 | 4190 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.