Malicious PDF — malware analysis report

Static analysis result for SHA-256 010f65e4edc4ee6f…

MALICIOUS

PDF

815.2 KB
MD5: e10ff46c64b47d0cf2d578a36acf71e1 SHA-1: e03b20fecb767896d9b19fe1c1c6fc5b58fb07ac SHA-256: 010f65e4edc4ee6f41d129526ad72e1e886bf6f616030a4684050e7752d0113a
86 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF is encrypted and uses an OpenAction to hide its malicious content, a common technique for evading static analysis. Heuristics indicate it's an advance-fee scam, likely presenting a fake lottery or prize to trick the user. Embedded JavaScript streams were also extracted, suggesting the potential for further malicious actions like downloading additional payloads.

Machine Learning

  • Nyx PDF Classifier clean score 0.0025

Heuristics 5

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000c077.js
acda5fee154de073a2ceab58c5e545c42bb75ce0522cf172edfbe927de58a933		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC077 1928 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_008_off0000c520.js
e18eb7f17ce98a8e0891018432f5a16ecbab416f3cabc965bb3ef9cf0c305372		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC520 788 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_014_off00013928.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13928 367087 bytes
stream_020_off0004a599.bin
db8f467b54cf13a179601f7b93b1299062709d0b6f3270973d94a5f1940bb75b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A599 15500 bytes
objstm_0004_00.bin
6d71bc3d177b24c0b9d3e69d429df1e045aca68e2dd250ed3c84ad1f45c1f04b		 pdf-objstm-decoded PDF /ObjStm 4 0 obj (inflated) 2734 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
objstm_0194_00.bin
e5bf21b2d483d059253ff1b4499349e23d9c5e16b33a9089c0fc384c45b7bc9d		 pdf-objstm-decoded PDF /ObjStm 194 0 obj (inflated) 9692 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_cff_off0000c90f.bin
5673cdba6e8d5992d1d05f6c777c5574a1f49f99d821bd8ead4b8123ffc2ec64		 pdf-font-stream PDF embedded font (cff) at offset 0xC90F 2789 bytes
font_01_cff_off0000d3c4.bin
19ae1ea3d524141b8c675376bf4512fdd17a5f9dc3c6760f81ff252ba00b2d0e		 pdf-font-stream PDF embedded font (cff) at offset 0xD3C4 7347 bytes
font_02_cff_off000b1683.bin
4f267c85b89e6fc9ee8b3e4a01806e6f5a805c14e2111e34d51fdf36007a1791		 pdf-font-stream PDF embedded font (cff) at offset 0xB1683 6421 bytes
font_03_cff_off000b2cc6.bin
d8c7188244ae0a8ef8c65bb9a045cdde73619c23714d621d9f578c26370f0a96		 pdf-font-stream PDF embedded font (cff) at offset 0xB2CC6 5260 bytes
font_04_cff_off000b3feb.bin
129b2c4ae4f4a5fb8984be184f5023011014931bbd0054a167aa17b69abbd8d2		 pdf-font-stream PDF embedded font (cff) at offset 0xB3FEB 476 bytes
font_05_cff_off000b4677.bin
ac353bdfb1211c1b172673d981e583b1fc72aeb8a992d0c256b2dd138e093c1d		 pdf-font-stream PDF embedded font (cff) at offset 0xB4677 432 bytes
font_06_cff_off000b49f0.bin
71fd54b8e047f12e8160b06c9d1183a6c371715d7f70900fabbe3c74fffc4f75		 pdf-font-stream PDF embedded font (cff) at offset 0xB49F0 3950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.