PDF malware analysis — malicious · a75de9451a1013d3

MALICIOUS

PDF

12.7 KB

MD5: 2341fed4adddc7c5127dd0b6a8991700 SHA-1: 43656b663b8a23addcffd4a89bfcdedd87797d28 SHA-256: a75de9451a1013d3686e838ac26e2ec5dc69454af37f8b48d869bb450cb038f9

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript T1204.002 Malicious File

The PDF file contains XFA form elements and triggers a heap spray exploit via JavaScript, as indicated by the critical PDF_XFA_HEAP_SPRAY heuristic. The unescape() function and String.fromCharCode() are used, suggesting obfuscated JavaScript is present. The ML classifier also flagged the PDF as malicious. The embedded URL is likely part of the exploit chain.

Machine Learning

Nyx PDF Classifier malicious score 0.9154

Heuristics 5

XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY

PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.