MALICIOUS
98
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
T1059.001 PowerShell
The sample is a PDF file exhibiting multiple heuristic firings related to XFA forms and encoded content filters, indicating potential exploitability. A critical finding reveals a secondary embedded PDF with suspicious static findings, suggesting a multi-stage attack. The presence of 'Please, wait...' in the document body implies a lure to keep the user engaged while the exploit executes.
Heuristics 5
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
polyglot_child_pdf_off00001198.pdf9199c7ab996fd48b8003285dcec16ee000e09e492f35fe4f40f0af8fdf58303d |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x1198 | 907 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.