Malicious PDF — malware analysis report

Static analysis result for SHA-256 96fb5a52e37418d7…

MALICIOUS

PDF

9.4 KB
MD5: 06317a8ff5307e4ff8bff8ff3c7ea2eb SHA-1: 5694fd7f7d29f5b51bc868dc5a0d0a5f52edc725 SHA-256: 96fb5a52e37418d71fc4e3f25f0bae37b9ec875abfbe74e819eedb4a91e63dff
86 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF sample triggered high-severity heuristics for PDF_OPENACTION and ML_NYX_PDF_MALICIOUS, indicating a malicious PDF designed to exploit vulnerabilities. The presence of an OpenAction trigger suggests the document is configured to automatically execute code upon opening, a common technique for delivering secondary payloads. The ML classifier's high confidence score further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.