Malicious PDF — malware analysis report

Static analysis result for SHA-256 d35a18e6b99dad2f…

MALICIOUS

PDF

3.42 MB Created: 2008-02-27 16:58:09 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 6.0.1 (Windows)) First seen: 2026-05-10
MD5: 59601ecfec45f57eedd6f708f02f9653 SHA-1: 61e53cf1dbb0dbf0178e5cc19734d4462aac3ea6 SHA-256: d35a18e6b99dad2fb3cd2442c9f87f00fe1c4cd53f6026fe0f772787ae438d96
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits multiple heuristic firings related to embedded JavaScript and embedded files, indicating malicious intent. The presence of an embedded URL, specifically 'http://www.pdf-repair.com', suggests a potential download source for further malicious activity. The embedded JavaScript is likely responsible for executing the download and execution of a second-stage payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9290

Heuristics 7

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com)/CreationDate In PDF document text
    • http://www.pdf-repair.comIn PDF document text
    • http://www.pdf-repair.com)/ModDateIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://www.w3.org/1999/xhtmlIn PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
taa pdf-embedded-file-undecodable PDF EmbeddedFile object 8 at offset 0x1333; filter decode failed 3558987 bytes
SHA-256: 5f9def8e750aff8c9ed96eb7970eef58a16c35785d0beb41c066d1c085c9359a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.