Malicious PDF — malware analysis report

Static analysis result for SHA-256 01a3906dc153f6ca…

MALICIOUS

PDF

1.63 MB Created: 2007-04-16 09:34:52 +02:00 Authoring application: PDFPublishing (via Adobe Acrobat 3D Toolkit 4.1.0.0)
MD5: 3aa1b28ffe7b3d9d10fc7feb55fe4bbd SHA-1: fe709eccce0de954f55506a82b6c3de9f285d7ce SHA-256: 01a3906dc153f6ca1ef773a742bbca518d7387aef7a1f99fc844f95c80f396f7
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains multiple JavaScript streams, including calls to `eval()` and `unescape()`, and is identified as an XFA form with risky executable script. The script attempts to trick the user into updating Adobe Reader by presenting an alert box and directing them to `http://cgi.adobe.com/special/acrobat/update`, which is likely a lure for downloading a secondary exploit or payload. The presence of U3D content and embedded files further indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9869

Heuristics 16

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfmachine.com
    • http://www.broadgun.com)Tj
    • http://pdfmachine.com
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.your.domain.com
    • http://purl.org/dc/elements/1.1/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-template/2.2/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xfdf/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x686AF 85 bytes
embedded_file_obj0009.bin
ce75a85ad744dc6bd3f985f71c092883b743463972eff168ee9ffb2336c4b0c8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x68760 1333 bytes
embedded_file_obj0010.bin
34947838c6ff704a8af99b706b5a0d69774d4b8df3f1ab25c0f1afe9ac8be76b		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x689E2 66943 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
embedded_file_obj0011.bin
5f46a4aa50bf20cf566ff569220627bd3d337eb0f82d34eb699337756ad09c73		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x72CD6 2262 bytes
embedded_file_obj0012.bin
e45851fdfd997f7b3eae0f62d6f4820fe7801f3abb9b20f7bb34e90c22f8e732		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x72FB9 142 bytes
embedded_file_obj0013.bin
64c0bb66f310529eab132369c19856140bcd190d2ce069d57343c3caa9ac2709		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x7307F 724 bytes
embedded_file_obj0014.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7325F 85 bytes
disclaimer.pdf
890cb280c647c2743048717ed8c46eb42225594f115f08c85db53169c8ea46b5		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x7340E 10232 bytes
21130-415.stp
c1ce6c448a126dd77776d8272a89eb21df19c2dca24eb9944755dae03181599f		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x7E85D 4194304 bytes
21130-415.pdf
26dec4f1cbc2bb99a9b2a76dc3a7355026baa9badc9439e2c03145963a8483cb		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x17E9D4 38669 bytes
21130-415.dxf
77ebf7b56343103cc91e654d10eaa6bf5d751688f81c5aec07aaff3f757e44a0		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x187C72 551574 bytes
21130-415.dwg
47dfb97b4162a50a436dc4bd9988ed5c7c1b4a382a5f96a30b365df8aeeb0d7d		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x192081 157725 bytes
javascript_obj0032_000.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 32 at offset 0x961 1528 bytes
javascript_obj0033_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 33 at offset 0xB45 870 bytes
javascript_obj0034_002.js
c2d25683b87f35b2c97fd55b4b4d3fb2c8e428989cc7f8de755a12031e1ce557		 pdf-javascript-stream PDF /JS object 34 at offset 0xC9A 3843 bytes
javascript_obj0077_003.js
79b8f0f177a0008f708dd536c4fb018567c63c7be00473aedaa68987cb6db796		 pdf-javascript-stream PDF /JS object 77 at offset 0x66C06 28087 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long hex-escaped blob(s).
stream_013_off00023bb8.bin
89e1b991265d1f6fbb8cde8b0aad297979cf2ecc58616c20bb94d5f5319d200f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23BB8 549248 bytes
font_00_cff_off00005fac.bin
28345a751bc247acbf8155171a43d69e366aa8df344a8a0a8a8304436513e01c		 pdf-font-stream PDF embedded font (cff) at offset 0x5FAC 66185 bytes
font_01_cff_off00011420.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x11420 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.