Malicious PDF — malware analysis report

Static analysis result for SHA-256 9882ebc1073fc9da…

MALICIOUS

PDF

122.6 KB Created: â̘ZrÓ6ìÇq¸ñUÌÌ' Authoring application: ç²å(·Uá٠ڐ0™Š¸9U`ií¢s (via ç•Ø †rõ³ û²O ñcp}ëÀ+˽ò³†)
MD5: fc989fca89996429b1066cfd8d16f13a SHA-1: 20455f2827cbc626822c61884a299244ad1a3416 SHA-256: 9882ebc1073fc9da38274d3aaa9fc45cd8479afe1bc109431c28175285e31da8
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The PDF is heavily obfuscated using encryption and embedded scripts, as indicated by the PDF_ENCRYPTED_WITH_JS and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics. A hidden HTML iframe further suggests an attempt to redirect the user or load external content. The embedded URLs likely serve as the initial stage for downloading and executing further malicious code. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6514

Heuristics 5

  • Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://count33.51yes.com/click.aspx?id=334798931&logo=6
    • http://mtv.myshw.net/my.htm
    • http://mtv.myshw.net/Happy1.htm
    • http://mtv.myshw.net/Laoding1.Htm
    • http://mtv.myshw.net/chengxu/my.htm
    • http://mtv.myshw.net/chengxu/index.htm
    • http://www.591my.cn/11/vip.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0001e6de.bin
d02883f4aefc713264c8d2e435e76458a7eeb8db579e96b7f6de38427899d36a		 pdf-embedded-script PDF decompressed stream script payload at offset 0x1E6DE 125488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.