PDF malware analysis — malicious · 9aacb076c2d55044

MALICIOUS

PDF

79.1 KB

MD5: a963122d0acacae81b65afc5c0d98e33 SHA-1: 0b5c4b35e8cba48a5c2782b7cc6c4782d8385594 SHA-256: 9aacb076c2d5504415c7859ac730fafc02e4520a9164763523afee7b098e49f5

66 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains an embedded script payload, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. The ML classifier also flagged this PDF as malicious with a high probability. The embedded script is likely responsible for executing malicious code, potentially leading to further compromise. The presence of XFA forms and embedded files are common characteristics of malicious PDFs.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 4

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_000002da.bin` `5de61f282c4729a7202451df9aa53d0d32bef5b49c9984df42154f5faaaab295`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x2DA	70608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.