Malicious PDF / .37 — malware analysis report

Static analysis result for SHA-256 f1b6853c109ae8c2…

MALICIOUS

PDF / .37

5.8 KB Authoring application: rznosasbvebvvjxtbnsznhybfcprlq
MD5: df4544b9527c0ae9a6207f4a5bd6a0b7 SHA-1: a616f702a3613df7b6e1375549acfe1974650da2 SHA-256: f1b6853c109ae8c22ff97cf65ebe5419f860556d5bc674cdedcc5d4388e940f3
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF sample contains multiple heuristic firings indicating malicious intent, including a high-severity OpenAction trigger and the use of ASCIIHexDecode filters with exploit indicators. The ML classifier also strongly flagged this PDF as malicious. These indicators suggest the document is designed to exploit a vulnerability upon opening, likely leading to arbitrary code execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.