Malicious PDF — malware analysis report

Static analysis result for SHA-256 0079545f15e7e24e…

MALICIOUS

PDF

137.7 KB
MD5: ea9561ac1eef2748b92e7661b78b50c4 SHA-1: f2cb1542feee7311b8fc58695791905ed4848e22 SHA-256: 0079545f15e7e24eb9c85a705c0f97c9ae32b67ed260dd9ac2cce436dacc4202
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains JavaScript and exploits XFA forms, indicating an attempt to execute malicious code. It also embeds files, one of which is significantly larger than others, suggesting it's a payload. The presence of a URL that, while benign, is often associated with exploit delivery, further supports this. The primary attack vector appears to be a malicious PDF leveraging JavaScript for exploitation.

Machine Learning

  • Nyx PDF Classifier clean score 0.0185

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0199.bin
67acae243ed71dd8205776e6a09ecb0eb0c21d09a16f346ffaa10d0f5bdb6441		 pdf-embedded-file PDF EmbeddedFile object 199 at offset 0x18124 163 bytes
embedded_file_obj0200.bin
d68e5e5bc589ff7d7bfab8457e9c61331b8d979aeed642a31eea203b7d4b4aa0		 pdf-embedded-file PDF EmbeddedFile object 200 at offset 0x18216 2012 bytes
embedded_file_obj0201.bin
e52ebbbfc048a3cf6b485f95aeab492580519723eac15ed45e6e40b948845a8a		 pdf-embedded-file PDF EmbeddedFile object 201 at offset 0x185C8 162516 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0202.bin
8f7c5ab54f868049d0b4225cd105709fab42364e2af88ad98f2262be600bf8e2		 pdf-embedded-file PDF EmbeddedFile object 202 at offset 0x1DD97 2483 bytes
embedded_file_obj0203.bin
25df047029f8039e2251156454646f6a32d1f9c34cf8f947f5234c5b58047e48		 pdf-embedded-file PDF EmbeddedFile object 203 at offset 0x1E0A2 2795 bytes
embedded_file_obj0204.bin
901012bf8de1006b655493866eb8eb8d36e667faca6661ae9fe59f7436fcecb4		 pdf-embedded-file PDF EmbeddedFile object 204 at offset 0x1E489 2182 bytes
embedded_file_obj0205.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 205 at offset 0x1E824 80 bytes
embedded_file_obj0206.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 206 at offset 0x1E8CF 56 bytes
stream_002_off00000ab4.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAB4 1363 bytes
stream_003_off00000c92.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC92 902 bytes
objstm_1019_00.bin
b552989e3f132dd2e033db814f435661bc9e70f60338fdb98b7643226090068b		 pdf-objstm-decoded PDF /ObjStm 1019 0 obj (inflated) 20137 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.