Malicious PDF — malware analysis report

Static analysis result for SHA-256 efefc7e889ee031e…

MALICIOUS

PDF

9.7 KB
MD5: d210403a9d63879c0b2acf41b6d82720 SHA-1: d47c9d142a7702b13c9b376f6405b6a8bc52d54d SHA-256: efefc7e889ee031e402dac2a05e6d4762144497b6007c9ef73628935d766aa4c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript, flagged by heuristics as a malicious payload. The ML classifier strongly indicates maliciousness. The JavaScript is likely responsible for downloading and executing a secondary payload, as suggested by the presence of obfuscated scripts and extracted files. The XFA form heuristic further points to a non-standard and potentially malicious PDF structure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000000f2.bin
9e8eb5a54b211c48bea297f5413b179eb3ca5e44c3fcadb7adc229a9002585d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF2 11860 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
stream_002_off00001dc4.js
b7dc9645dc5e3a046042811b4bb16ca7bea1f3545b0f2bbc937c0c5e6e05f8c8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DC4 5672 bytes
acroform_b64_00.js
ac09ceb5b8be19295889b9c2b436a08554a2d5409c6da5b39800ce83d30313ea		 deobfuscated-js PDF AcroForm base64 (decompressed) at offset 0xF2 8895 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.