Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2dbf1b70f29b41d…

MALICIOUS

PDF

22.1 KB Created: 2010-01-13 21:41:58 +08:00 Authoring application: Acrobat 编辑器 8.0 (via Adobe Acrobat 8.1.2) First seen: 2026-05-11
MD5: 939e2594976440a83427147f428e40e1 SHA-1: 3dd7dd729f67903798b1cf57969ed5290b64d25f SHA-256: b2dbf1b70f29b41da569667ecb933901cca9d7cf6129dc94ac8dfe455737ff8f
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.004 Scripting: Python

The primary finding is a high-severity heuristic indicating a suspicious embedded PDF within the main document. This embedded PDF, identified as 'polyglot_child_pdf_off0000407d.pdf', is the most significant indicator of malicious activity. The presence of multiple 'PDF_DANGLING_INDIRECT' findings within the embedded PDF suggests potential obfuscation or malformation intended to evade detection or exploit vulnerabilities. The benign URLs extracted do not contribute to the maliciousness assessment. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6370

Heuristics 3

  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000176e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x176E 341 bytes
SHA-256: 9d7e19ac218e6f8728365073f89e3d1f12b424f876a74ba4ef022cb2a54a74ce
polyglot_child_pdf_off0000407d.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x407D 6125 bytes
SHA-256: 0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8

Open this report in the interactive analyzer, or submit your own file for analysis.