PDF malware analysis — malicious · 01d9c6ee204aca3a

MALICIOUS

PDF

507.6 KB Created: 2009-12-08 16:18:02 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0 (Windows))

MD5: f5f7154d6923435b40c41e94f782bf42 SHA-1: 6b2c34da8e8983ab7dca4477f056587a7f64e04f SHA-256: 01d9c6ee204aca3a0aba7618bc0e9cfb4fc60f24e034fbf19371b1633fd3f2b0

186 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and an embedded PDF file, both flagged as suspicious. The JavaScript appears to be designed to exploit vulnerabilities in older versions of Adobe Reader, specifically targeting versions prior to 7. The embedded PDF child also has critical static findings. The primary function of the JavaScript is likely to download and execute a secondary payload, leveraging the embedded PDF as part of the exploit chain.

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 8

Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE

PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.iec.ch

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`DD-100485.pdf` `4f3780f5368b0929029c0d6ba766cf108c4df487c311d086b508c0e15b54b20b`	pdf-embedded-file	PDF EmbeddedFile object 62 at offset 0x42430	30192 bytes
`javascript_obj0066_000.js` `97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61`	pdf-javascript-stream	PDF /JS object 66 at offset 0x7A3CD	1946 bytes
`stream_028_off0007a3cd.js` `5c1ab2af46eef55b0d162c3a84464633475df9b138b64aa21a36ffaffbdffa88`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x7A3CD	1336 bytes
`icc_00_off0003a956.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x3A956	3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.