Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac40ca7c5faac02e…

MALICIOUS

PDF

13.4 KB
MD5: 13db987a1165d003d083e0ebb844e03a SHA-1: e34504ad9e742bdb9c135653590b80d13e6da6b1 SHA-256: ac40ca7c5faac02ef67542920eeb9dde385a6398b2de89565d06e73ff2fd151d
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The ML classifier strongly indicates maliciousness, supported by heuristics flagging an embedded script payload and an embedded file. The document body contains obfuscated JavaScript, which likely attempts to download and execute a second-stage payload. The embedded file artifact is also a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
d363e00789a2feebbae4438c908f896afaa8dfbb1646a7d6c7c0d773ef0f1ee2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xD5 12908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.