Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9466ba6c3ce873a…

MALICIOUS

PDF

4.8 KB Created: 2011-04-05 23:46:28 Authoring application: bufdfob
MD5: c1a0239cc36472c027f1ba6ac4da6fc2 SHA-1: 29b246e835f0ae3f0aea1aeb6e65a70259304ff7 SHA-256: c9466ba6c3ce873a3bae8322e0523b358ce0f16f97f126a35d29838a3a597cde
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of an embedded script payload within a PDF stream, suggesting an attempt to execute malicious code. The embedded JavaScript file, 'stream_001_off00000309.js', is the primary indicator of malicious activity and likely contains the mechanism for delivering a secondary payload or exploiting a vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000309.js
57675bc970addff0c5f4b531343067969830462969e797dfabb27eb1ca431003		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x309 13251 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.