PDF malware analysis — malicious · d19f92b52c399ac8

MALICIOUS

PDF

12.4 KB Created: 2011-04-19 23:58:40 Authoring application: now say

MD5: 1a5f0502e58fb8433de4e8c4c689903d SHA-1: 8e9d7b97986432485594d0c40588c40545183b16 SHA-256: d19f92b52c399ac84d65c16525e963a3ee977660c20c16522e6fc20429d312e3

196 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF document exhibits high-confidence indicators of malicious activity, including the use of eval() and unescape() functions within an XFA form, which are commonly used to obfuscate and execute malicious JavaScript. The ML classifier strongly flagged this PDF as malicious. The presence of an embedded script payload and an embedded file (embedded_file_obj0003.bin) suggests the document is designed to download and execute a secondary payload, likely exploiting a PDF vulnerability.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 8

XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT

PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0006.bin` `d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x1234	84 bytes
`embedded_file_obj0005.bin` `24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x12E5	228 bytes
`embedded_file_obj0012.bin` `c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460`	pdf-embedded-file	PDF EmbeddedFile object 12 at offset 0x13D6	199 bytes
`embedded_file_obj0017.bin` `22f9870eec417b8a3c9eed3531581a8df6c21a5a6034ae0edb4c03b0daa7bb91`	pdf-embedded-file	PDF EmbeddedFile object 17 at offset 0x14C8	154 bytes
`embedded_file_obj0018.bin` `e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876`	pdf-embedded-file	PDF EmbeddedFile object 18 at offset 0x159A	77 bytes
`embedded_file_obj0019.bin` `92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a`	pdf-embedded-file	PDF EmbeddedFile object 19 at offset 0x1641	56 bytes
`embedded_file_obj0003.bin` `51435125ad76c8598368ef59a6a41ebfb5dc9e543f9bf999ab72d1402a37c42c`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x19BF	20387 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.