Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bfbde2c1f130b81…

MALICIOUS

PDF

76.3 KB Created: 2011-04-15 09:35:27 -04:00 Authoring application: OpenOffice.org 2.4 First seen: 2026-05-08
MD5: 8798d4fb2ebf45a0b4fa1bc87a52cb6c SHA-1: 80307f732dcbb24c8151d0f79e37164e0a48dd2f SHA-256: 9bfbde2c1f130b816bb0f25303a87316f8ddd51c0d5b0dda2e4ac34f60a5ce72
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains an embedded URI that points to a sales email address, suggesting a social engineering attempt to solicit contact. The presence of urgency lures in the document body further supports this. No scripts were extracted, and the document body was heavily truncated, limiting further analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8458

Heuristics 6

  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI low PDF_URI
    PDF contains an external URL action
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ PDF link annotation
    • http://www.xfa.org/schema/xci/1.0/PDF link annotation
    • http://ns.adobe.com/xtd/PDF link annotation
    • http://www.xfa.org/schema/xfa-data/1.0/PDF link annotation
    • http://ns.adobe.com/xfdf/PDF link annotation
    • http://www.xfa.org/schema/xfa-form/2.8/PDF link annotation

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0025.bin pdf-embedded-file PDF EmbeddedFile object 25 at offset 0xF5A3 28449 bytes
SHA-256: e87f418fa7abce43c46c4d6230dea3840a345d4150d7d29cd37c2a54410d3b43
embedded_file_obj0023.bin pdf-embedded-file PDF EmbeddedFile object 23 at offset 0x1292C 84 bytes
SHA-256: d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777
embedded_file_obj0024.bin pdf-embedded-file PDF EmbeddedFile object 24 at offset 0x129DE 228 bytes
SHA-256: 24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0
embedded_file_obj0026.bin pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x12ACF 199 bytes
SHA-256: c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460
embedded_file_obj0027.bin pdf-embedded-file PDF EmbeddedFile object 27 at offset 0x12BC0 119 bytes
SHA-256: 846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7
embedded_file_obj0028.bin pdf-embedded-file PDF EmbeddedFile object 28 at offset 0x12C78 77 bytes
SHA-256: e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876
embedded_file_obj0029.bin pdf-embedded-file PDF EmbeddedFile object 29 at offset 0x12D1F 56 bytes
SHA-256: 92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a

Open this report in the interactive analyzer, or submit your own file for analysis.