Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf5b66be0877fdb2…

MALICIOUS

PDF

464.0 KB Created: 2010-03-16 14:56:25 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2 First seen: 2026-05-11
MD5: aca150f6bfea0ca1443125586597e391 SHA-1: 7e328221ef4f6e978efe23fa34eac1c5f4e6f050 SHA-256: cf5b66be0877fdb298e8e54376b43ab25ef917fec8de1135efbc018187916d4e
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT heuristic. While the document body is unreadable and no specific URLs are directly associated with malicious activity, the presence of JavaScript suggests an attempt to execute code. The embedded files and XFA form are also noted but do not provide specific actionable intelligence without further analysis. The primary attack vector appears to be the execution of embedded scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x50B 1587 bytes
SHA-256: 444d6d82bf278239c586a47ac22b38bc52ef0567885d34677b63697694199d94
embedded_file_obj0003.bin pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x7FC 1131 bytes
SHA-256: b7a0d22ac75abe2687fb5f359888909250f2da2c07714300e3f996843b09f50d
embedded_file_obj0004.bin pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xAB8 3023 bytes
SHA-256: f6828dd1c2c33f5f9b3d297876597a713abd12a8e3a8bcc14eda8a62895139c5
embedded_file_obj0005.bin pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xE49 1147 bytes
SHA-256: cf065dc4fd2d15fa5738d48dc81edfceb1e16b432145bd109187b7245ff7b331
embedded_file_obj0058.bin pdf-embedded-file PDF EmbeddedFile object 58 at offset 0x73719 162 bytes
SHA-256: afc37dfd267afc85da413af5b7bc1e8f5d4bd93a706404932b8c311efda57b71
embedded_file_obj0059.bin pdf-embedded-file PDF EmbeddedFile object 59 at offset 0x7380C 263 bytes
SHA-256: 7cf53d1b73d36e3e106802f55ddf832413e6fd7f6cbb683494a84f88caad15b1
embedded_file_obj0060.bin pdf-embedded-file PDF EmbeddedFile object 60 at offset 0x7392F 1714 bytes
SHA-256: f77000e4c9a6b068d110e6af56cf50936305ee7b5f276601453a62e51af75b6b
temp.jpg pdf-embedded-file-undecodable PDF EmbeddedFile object 57 at offset 0xDCE2; filter decode failed 416221 bytes
SHA-256: 192495bd1a4263fd7833267796ed7e28775fc62ca618e7e0b82c267855d051ed
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x739B9 1126 bytes
SHA-256: 53c3280911c4a63151a3cf0a288ec12047b28c49d94c45981698577737286746
font_00_sfnt_off0000108f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108F 36717 bytes
SHA-256: 3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3