Malicious PDF — malware analysis report

Static analysis result for SHA-256 add1af74fb07f6ca…

MALICIOUS

PDF

130.2 KB
MD5: dc63fdd887b1763fb3e564b0f46a632f SHA-1: 1eaf871ccc629aedc1fdde70b3d15837a4325457 SHA-256: add1af74fb07f6ca9f68074fafda7df135cb81afc31d81c8bbc880e34ff457d8
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and an embedded script payload, strongly indicating malicious intent. The ML classifier also flagged this PDF with high confidence. The presence of embedded files, particularly 'embedded_file_obj0004.bin', suggests it may be used to deliver a secondary payload. The specific attack pattern is likely an attempt to exploit PDF vulnerabilities to execute code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9915

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0xCC4 86 bytes
embedded_file_obj0002.bin
7cfe100cbdcad5aca90e1aff8d47bd1123cf26569260667c1d765df6ce0caa2c		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xD77 2016 bytes
embedded_file_obj0003.bin
f3af0cf90c00df075a9ce3a70b1ab9f6630be5831085025f0de58661026ef643		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x110B 15837 bytes
embedded_file_obj0004.bin
1618be88b77384b7e3d67817b9ec19bbbfc7018d18d3fd54d4daaff288c95aaa		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1788 11695 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0005.bin
2680b20f4fac49f509e9b73896071e8d16550d04c32a2854f801644ece0b6d0b		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1B2A 4852 bytes
embedded_file_obj0006.bin
89db6425645c1f2700e52a38498e90ca6ef07071c0662f0b1655e8eb798468ad		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x1F40 1223 bytes
embedded_file_obj0007.bin
af05f8185c725a70291567ae2112fa9a98b368528a7cc440552f0c0847d95121		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x218E 85 bytes
embedded_file_obj0008.bin
8e2b0c5682a7ef5861af182df1c165bec1368e4ec954c0f525b7d9b0aa94381b		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x223B 332 bytes
stream_002_off00000339.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x339 1532 bytes
stream_003_off00000524.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x524 870 bytes
objstm_0038_00.bin
fc38668935b818d494502afb894c15e6b0d801951a9c4fd0b0c46f76fef1fb2a		 pdf-objstm-decoded PDF /ObjStm 38 0 obj (inflated) 689 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.