Malicious PDF — malware analysis report

Static analysis result for SHA-256 b50a24444308c92a…

MALICIOUS

PDF

101.2 KB Created: 2010-03-31 10:11:42 UTC Authoring application: Advanced PDF Repair: http://www.pdf-repair.com First seen: 2026-05-10
MD5: 75e603497695f4a0ce9864da4654f254 SHA-1: 00da86569c82c8041e02aa8489fb863a47783d1d SHA-256: b50a24444308c92ae663503de5a21cd2aff4230b505e8b0a2e426721d17e0029
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple suspicious characteristics, including an embedded file and an embedded script payload. The presence of these elements strongly indicates an attempt to deliver a malicious payload. While the document body is unreadable, the heuristics point towards a delivery mechanism for further infection. The embedded file 'embedded_file_obj0001.bin' is a key artifact for further analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com In PDF document text
    • http://www.pdf-repair.com)/Producer(AdvancedIn PDF document text
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.4/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x51 13431 bytes
SHA-256: cbd31ccce271daa4bd5150e2213ec80b68b481e51470fcc6b5a28ee2541d44c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x587 8642 bytes
SHA-256: c7aeef41759b10f172052719a6efb1215f07eb56b2816947525f347b8b0a181b
Detection
ClamAV: Win.Exploit.CVE_2010_0188-7
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_PEB_ACCESS, SC_STR_CMD Static shellcode analysis recovered command string(s): cmd.exe /c c:\a.pdf