Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4c5c3224bd2168d…

MALICIOUS

PDF

13.3 KB First seen: 2026-05-08
MD5: 4cc25e7bde0602834a7df8ca6e5f8d47 SHA-1: 764f6a25c44737e40a7910fc1ea48f095d5e9778 SHA-256: a4c5c3224bd2168ddcf76cff8bbedb8c7ac2754115a65ade1913b7d93470aff2
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

The PDF file contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. This suggests an attempt to exploit a vulnerability within the PDF reader to execute malicious code. The presence of embedded files and XFA forms further supports this. While the specific exploit is not detailed, the embedded script is the primary indicator of malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 12906 bytes
SHA-256: bf30769d770bc55cc3a8d966e1b866f45cd953235096f81c9e4a7c216135d62e

Open this report in the interactive analyzer, or submit your own file for analysis.