Malicious PDF — malware analysis report

Static analysis result for SHA-256 98b507217d67d665…

MALICIOUS

PDF

35.8 KB
MD5: bc3f2cbcd4ed2b730feb5196d84faa58 SHA-1: 1f13aa763ee60d17db9d40957f57b33ab5873291 SHA-256: 98b507217d67d6652f50392f659b74fe65af36ada6fd62b752e78bd7aaca98d8
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass

The PDF was flagged by an ML classifier with high confidence as malicious. It contains embedded files and an embedded script payload, indicating it is likely designed to deliver a secondary payload or exploit a vulnerability. The presence of XFA form elements also suggests a complex structure often used in malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
4b5234d069def0c6ca287021f12dde4de15aa89fa0695d8f88beca7091bef4af		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x138 672 bytes
embedded_file_obj0010.bin
74f2f2c8cd42c8b3e37088cdd27b8f6193ba1b1e3f28e73cd5661d2d24d8cc57		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x41D 151 bytes
embedded_file_obj0011.bin
919311c4f3a5f8d631c55fffd296ccf550fdb5d7b4350edc85e72b711cfc5686		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x4F9 437 bytes
embedded_file_obj0012.bin
072090be5ea6c4a216543a1d4332d27d322264f3038bbd986db2a09048143a1c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F3 181 bytes
embedded_file_obj0014.bin
676ce1313993168a44dc86a763bfbcf182b5a5eaf928c02cf17eca396ab2513b		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7EE 34005 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.