Malicious PDF / .TMP — malware analysis report

Static analysis result for SHA-256 033ebd8cddbb60b9…

MALICIOUS

PDF / .TMP

5.2 KB Created: è3ú¢à.5NêÞ£A”“ Authoring application: ÿjºû²cv[õݹCƒ• (via ÿjºû²cv[qŸ¨·<ÄIÕVWõrHQèŒ:iL)
MD5: 2f8f4e975debc0b64f270b331e397f2c SHA-1: dc89a2582c21fb58c74ec13fe6659284a66efee8 SHA-256: 033ebd8cddbb60b93ef68e9be2cde97e68a8b47d4c0e25ac5c7ddb2ba4d40cb3
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript which is obfuscated but contains a clear URL for downloading a payload. The ML classifier strongly indicates maliciousness. The JavaScript is responsible for downloading and executing a second-stage payload from the embedded URL, which is a common technique for initial compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://double.boublebarelled.ws/FrMal/?forum=8

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_001.js
3d70a35a909126313d0bbaf98989dd5fba22e0a2d0be649b3c029c2b9e1cb394		 pdf-javascript-stream PDF /JS object 24 at offset 0x8D1 4482 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.