Malicious PDF — malware analysis report

Static analysis result for SHA-256 c78edf4011b633b9…

MALICIOUS

PDF

10.0 KB First seen: 2026-05-09
MD5: c747680f32dd2a79d61e0cd2a409ce51 SHA-1: 9aac9f754b82ba3f096154858b286c7c2e8cb9c6 SHA-256: c78edf4011b633b921717a8c1c18c3c296af02367fea3ad4f34cdbb352f050ce
110 Risk Score

Malware Insights

MITRE ATT&CK
T1557 Adversary-in-the-Middle

The PDF was flagged by an ML classifier as malicious with high confidence. Static analysis identified an embedded file, which is a common technique for delivering secondary payloads. The ML model's strong positive classification suggests the embedded content is likely malicious, although its specific nature cannot be determined from static analysis alone.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.4/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x5A 12946 bytes
SHA-256: 7cff2ae554ff7e102bb4807ec6f5ada930aeefe86ca0059c349c7651202c067e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x572 8346 bytes
SHA-256: 20f6753f128a4cc086d96fc4b17565f00f78b5fe1e03d65a5d4e58e1d84d1acd
Detection
ClamAV: Win.Exploit.CVE_2010_0188-7
Obfuscation or payload: unlikely