Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae32dbbb9004daef…

MALICIOUS

PDF

36.3 KB Created: 2010-08-31 07:47:43 UTC Authoring application: Xerox WorkCentre 265
MD5: b1619c438f0c5de0b37f51f585333e8d SHA-1: 0f8121a09e83cce044f6cfed02bfe1aebc3ced87 SHA-256: ae32dbbb9004daefd09d91a7423e5218416a429f4cf6efb30ace083d9fc08f1e
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF contains embedded files and uses XFA forms, which are common techniques for delivering malicious content. The ML classifier strongly indicates malicious intent. While no specific script was extracted, the presence of embedded files suggests an attempt to conceal and deliver a secondary payload, likely for further system compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 4

  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0014.bin
27f4104b63ee4684253e7141423c0a4ba82176282236222e1fad58d04784e7f3		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x58E7 29822 bytes
embedded_file_obj0012.bin
d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x8A94 84 bytes
embedded_file_obj0013.bin
24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x8B46 228 bytes
embedded_file_obj0015.bin
c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x8C37 199 bytes
embedded_file_obj0016.bin
846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x8D28 119 bytes
embedded_file_obj0017.bin
e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x8DE0 77 bytes
embedded_file_obj0018.bin
92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x8E87 56 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.