PDF malware analysis — malicious · 90dbbe3579c16962

MALICIOUS

PDF

5.7 KB

MD5: 97ccf71b6bb93d135cae9a3336cf269b SHA-1: 9eed53d72a36b8f23d7c05edb7976dc61b87c87c SHA-256: 90dbbe3579c1696206d9d2f37c8507ee4aeb6080c6b6e393e1418ca46ed2e9bc

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File

The PDF contains an XFA form and an embedded JavaScript payload, strongly indicating malicious intent. The ML classifier assigned a high probability of maliciousness. The JavaScript payload, identified as 'stream_000_off0000069c.js', is likely responsible for downloading and executing a second-stage payload. The exact nature of the payload is not discernible from the static analysis alone.

Machine Learning

Nyx PDF Classifier malicious score 0.9987

Heuristics 3

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_000_off0000069c.js` `f5368e1dea49788171729333207d766f7abb5134b4cfbb5c633acc6cf4d74e06`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x69C	15296 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.