Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1b33a2f852cd02e…

MALICIOUS

PDF

3.42 MB Created: 2008-02-27 16:58:09 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 6.0.1 (Windows)) First seen: 2026-05-10
MD5: 55a67f4a9c3c3ce6f0a1dd001eb9152d SHA-1: 99305988f92f6b6de0f7430545b9b8c52c706a54 SHA-256: d1b33a2f852cd02e9d417fbe193a8735f8d38be5aeaa0a71caf7a584f62d5b99
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript and an embedded URL, indicating an attempt to redirect the user to a malicious site. The heuristics suggest JavaScript actions and embedded content, consistent with a phishing or redirection attack. The embedded URL 'http://www.pdf-repair.com' is flagged as unknown and is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9290

Heuristics 7

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com)/CreationDate In PDF document text
    • http://www.pdf-repair.comIn PDF document text
    • http://www.pdf-repair.com)/ModDateIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://www.w3.org/1999/xhtmlIn PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
taa pdf-embedded-file-undecodable PDF EmbeddedFile object 8 at offset 0x1333; filter decode failed 3558987 bytes
SHA-256: 5f9def8e750aff8c9ed96eb7970eef58a16c35785d0beb41c066d1c085c9359a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.