Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecf72a11c2bea6c1…

MALICIOUS

PDF

15.8 KB
MD5: 028140d533289b5a88d27a975bcedd63 SHA-1: 33be4654899e62d4395f0902851cbb0c091c26d0 SHA-256: ecf72a11c2bea6c1aad59ab8ec1724436fcfbb4f396de9d950c22480af23dcee
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged by an ML classifier as malicious and contains an embedded script payload. The embedded script is likely responsible for executing malicious actions, potentially downloading and executing a second-stage payload. The presence of XFA form elements and embedded files further indicates a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9799

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000002dc.bin
6337cf8f8c2e5bdff100b6470f7ff3a174ee63e39a024b6d6dd66ad1ab28b7cb		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2DC 14224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.