Malicious PDF — malware analysis report

Static analysis result for SHA-256 b53701f1808271cc…

MALICIOUS

PDF

197.1 KB Authoring application: FOP 0.20.5 First seen: 2026-05-10
MD5: 104f20fb9c130db80aab4b74708bf5f4 SHA-1: 5d18a426e9bd3f56c2d5b4ad68519d2126979622 SHA-256: b53701f1808271cc4f8ec796d6c497bf3dcd4c8de4ad61822a59110f301c224b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded JavaScript and external URIs, indicating an attempt to redirect the user to malicious websites. The heuristics suggest the presence of JavaScript actions and encoded streams, commonly used to obfuscate malicious content. The embedded URLs point to verify.xyzmo.com, likely a phishing domain. No specific malware family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8477

Heuristics 6

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xyzmo.com PDF link annotation
    • https://verify.xyzmo.com/UploadForm.aspx?MyFile=Referenced by PDF JavaScript
    • https://verify.xyzmo.comReferenced by PDF JavaScript
    • https://verify.xyzmo.com.\n\nTheIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js pdf-javascript-stream PDF /JS object 38 at offset 0x298A7 1819 bytes
SHA-256: 592db10defe20d4bb92ec7389df4a680eaaac281962e22d216c9f1a50a755d2a
Preview script
First 1,000 lines of the extracted script
js:var fileurl = this.path;if (fileurl.indexOf("http://") != -1 || fileurl.indexOf("https://") != -1 || fileurl.indexOf("ftp://") != -1) { app.alert({cMsg:"Sie versuchen ein Dokument direkt von einer Webseite zu verifizieren.\nBitte folgen Sie einem der folgenden Schritte:\n\nA\) Verwenden Sie den 'click to verify' Knopf Ihrer Applikation.\n\n -- ODER --\n\nB\) Speichern Sie das Dokument auf Ihre Festplatte \(SHIFT-STRG+S\) und versuchen Sie es erneut.\n\n\nYou are trying to verify a document directly from a website.\nProceed with one of these steps:\n\nA\) Use the 'click to verify' button of your application.\n\n -- OR --\n\nB\) Save the document to your harddrive \(SHIFT-CTRL+S\) and try again."});} else {var pos = fileurl.indexOf("/");var laenge = fileurl.length;var urle = fileurl.substring(pos+1,laenge); urle = urle.replace(/\//,":/"); var str = urle; var from= "\/"; var to = "\\"; var idx = str.indexOf( from );while ( idx > -1 ) {str = str.replace( from, to ); idx = str.indexOf( from );} if (app.viewerType!="Reader" && app.viewerVersion>6){ app.launchURL(this.encodeURI("https://verify.xyzmo.com/UploadForm.aspx?MyFile=") + this.encodeURIComponent(str), true);} if (app.viewerType=="Reader"){ this.getURL(this.encodeURI("https://verify.xyzmo.com/UploadForm.aspx?MyFile=") + this.encodeURIComponent(str), false);} if (app.viewerType!="Reader" && app.viewerVersion<7){ app.alert({cMsg:"Die Funktion 'Click to verify' ist in Ihrer Acrobat Version nicht verf?gbar!\nUm Ihr Dokument zu verifizieren \n- ?ffnen Sie in Ihrem Internet Browser die Seite\n\thttps://verify.xyzmo.com.\n\nThe function 'Click to verify' is in your Acrobat version not available!\nTo verify your document\n- open your internet browser and go to \n\thttps://verify.xyzmo.com.", nIcon:1, cTitle:"xyzmo Seal 'Click to verify'"});}}
font_00_cff_off0002747a.bin pdf-font-stream PDF embedded font (cff) at offset 0x2747A 1009 bytes
SHA-256: c566766611233969cb6c10b708f63850c97eb37747205be6d3d09e6bd18004b9
font_01_cff_off00027878.bin pdf-font-stream PDF embedded font (cff) at offset 0x27878 5233 bytes
SHA-256: 2809ffbeff8ddfc09c4ca0296574cbf7e6ff9e3dfca4298b6d751edb5ef5cc2b

Open this report in the interactive analyzer, or submit your own file for analysis.