PDF malware analysis — malicious · afe70e63c5112c64

MALICIOUS

PDF

13.2 KB

MD5: 26d7f992eb369301fafc6b224c473e4e SHA-1: 387c574326b7f8a9338dee3147a240ab0ec02bef SHA-256: afe70e63c5112c646ca80371c1ec35a983f182a96a44b20f642b4aa8f41a1a3f

68 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. The ML classifier strongly flags this as malicious. While the document body is heavily obfuscated, the presence of an embedded script suggests an attempt to execute malicious code, likely to download and run a secondary payload. The embedded file object further supports the malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/
- http://www.xfa.org/schema/xfa-template/2.5/
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0008.bin` `6a91f14cee09d16b5ae30b1bf910456a21dccf9fbbc5f55d348376f83d259fcd`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0xD5	12758 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.