Malicious PDF — malware analysis report

Static analysis result for SHA-256 93c0f4390415ef55…

MALICIOUS

PDF

925.5 KB First seen: 2026-05-11
MD5: adbd37a4179136863a26a882e3c25b15 SHA-1: 8c495e250c457d69e684fb4a20fea4020b9ec39a SHA-256: 93c0f4390415ef55a9c66a394fcf2ff5f9be1ea5b9e5520de4591007df2e379a
60 Risk Score

🔏 Digital signature Modified after signing

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple indicators of malicious intent, including embedded files and JavaScript actions. The presence of an embedded script payload and a suspicious extracted artifact (embedded_file_obj0003.bin) strongly suggests that this document is a delivery mechanism for a secondary payload. The benign URLs found do not detract from the suspicious nature indicated by the heuristics.

Machine Learning

  • Nyx PDF Classifier clean score 0.0335

Heuristics 9

  • Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATION
    An incremental update appended AFTER the signed byte range introduces active content (/EmbeddedFile). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/CSPCA.crt0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/tspca.crt0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.1/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://www.w3.org/2001/XMLSchema-instanceReferenced by PDF JavaScript
    • http://www.microsoft.com/typography/fonts/Referenced by PDF JavaScript
    • http://ns.adobe.com/xtd/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin pdf-embedded-file PDF EmbeddedFile object 1 at offset 0xC3A3B 85 bytes
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xC3AED 1863 bytes
SHA-256: 7a535feebfdf65e33dac0809662f8b60fdfa95d329a1dfcfd77141a33ad52d21
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0xC3E2E 79256 bytes
SHA-256: 9128b333c2652dd8129729a8de42ce28fd6a95c807de0e37643aae9ef8926e97
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0004.bin pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xC7FA9 661 bytes
SHA-256: 0c1232497791015b9da3b7a118cd328567f979874fd59d44a991c00d73c1bae1
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xC8132 2423 bytes
SHA-256: 2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09
embedded_file_obj0006.bin pdf-embedded-file PDF EmbeddedFile object 6 at offset 0xC8413 200 bytes
SHA-256: 500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5
embedded_file_obj0007.bin pdf-embedded-file PDF EmbeddedFile object 7 at offset 0xC8507 1223 bytes
SHA-256: 4eaff9c8940bc84d6544bdbb4684c6a3012cfc3024aa5b9e56d6f74e853e5a36
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC875B 80 bytes
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19
embedded_file_obj0009.bin pdf-embedded-file PDF EmbeddedFile object 9 at offset 0xC8805 489 bytes
SHA-256: 762f92651ac8313f1d9ae2d265ab938421722e68d7e165414374b45c7c51674d
embedded_file_obj0441.bin pdf-embedded-file PDF EmbeddedFile object 441 at offset 0xE5FDB 1274 bytes
SHA-256: 7930903626ce60bb85de56a1d4c6041ebbb4fe24e326e5fe64c7350e22a0b202
embedded_file_obj0442.bin pdf-embedded-file PDF EmbeddedFile object 442 at offset 0xE6286 2704 bytes
SHA-256: 718bea5eb29fd0cfd5b56bf1a5e881ed7ee4b348ea0167be91bfbdbc14fec709
stream_002_off000039c5.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39C5 1532 bytes
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8
stream_003_off00003bb1.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3BB1 870 bytes
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb
stream_034_off0001773b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1773B 842934 bytes
SHA-256: 52d70a92aaaffa81d846be3d557cd4788888c8f17f2e617b62f9ae1a9f3441b7
objstm_0318_00.bin pdf-objstm-decoded PDF /ObjStm 318 0 obj (inflated) 30706 bytes
SHA-256: 53a189947bed6a7eb8d739ed61afc6620366d69171045087c557686c2fbc0cc6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 long base64-like blob(s).
font_00_sfnt_off00004311.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4311 97320 bytes
SHA-256: 926d8eb5abd4c74e46a419aaf25a490564d389c7a250d2392b198a342df65b8a
font_01_sfnt_off00094d61.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x94D61 95975 bytes
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949
font_02_cff_off000a804b.bin pdf-font-stream PDF embedded font (cff) at offset 0xA804B 5084 bytes
SHA-256: 78c10a4d004bca144a2ba1cdefe8aef59b50a32ed796d7a0154ea8541cc30e7c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_03_cff_off000a931b.bin pdf-font-stream PDF embedded font (cff) at offset 0xA931B 3427 bytes
SHA-256: c3711a3bed50f323e5d4de20a57a02ffb27f90809222d43c1108cb7b011abafb

Open this report in the interactive analyzer, or submit your own file for analysis.