Malicious PDF — malware analysis report

Static analysis result for SHA-256 046687b819fcd033…

MALICIOUS

PDF

526.0 KB Created: 2011-03-10 11:58:10 UTC Authoring application: TeleForm 10.2 (10232) with Electric Paper PDF Plus² Forms 3.1.226 (2.0.49.490)
MD5: 04cab4697227a58bf2ff2f8ca3fd7bb4 SHA-1: 1876ec8c747b2fb784099f6f22275c419fb155e2 SHA-256: 046687b819fcd033333e7a21f82f37e173f24bb0ea66b3b072ff751e5e5ecda2
206 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple JavaScript streams, several of which trigger high-severity heuristics for eval() and unescape() calls, indicating obfuscated or malicious script execution. The ML classifier also flagged the PDF as malicious. While the specific JavaScript functions like EP_Sign and EP_KEY suggest form interaction, the presence of exploit cluster signals and the ML score strongly indicate a malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9205

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dynaforms.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.adobe.com/products/acrobat/readstep2.html

Extracted artifacts 24

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj2495_000.js
baf9cbdea88593024b2b12c6777d51479cc38ef798b18600d3b6600f23d6851d		 pdf-javascript-stream PDF /JS object 2495 at offset 0xA6B 101 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2496_001.js
cac5feb65c9482ab3e5302e13d6842c8f757febaee3fac1b635bb67784a471a4		 pdf-javascript-stream PDF /JS object 2496 at offset 0xB03 73 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2498_003.js
c3cdcd4ff9a9030c24420179fc3118b240d6fc5eb693baad7641d6930a15d136		 pdf-javascript-stream PDF /JS object 2498 at offset 0xBB5 61 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2499_004.js
ac94d45b250614b38d40305a0f6e6ccda9a2da0516c64f21de434f5bf6481696		 pdf-javascript-stream PDF /JS object 2499 at offset 0xC21 59 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2589_017.js
ecedc3038ddcd3dd129633e6ae47f741b628726f27063b62be76e5dec72579a3		 pdf-javascript-stream PDF /JS object 2589 at offset 0x9C28 49 bytes
javascript_obj0098_023.js
d36cdebd55ae13c49b5ddce8febff58eb3ffd43fe884eff6a4d5de9832137154		 pdf-javascript-stream PDF /JS object 98 at offset 0x14F0F 34 bytes
javascript_obj0138_026.js
f85c9446eb564dbf2c73c1a72a7b4291bce0fe2827dda99d4488cf8aea485b4a		 pdf-javascript-stream PDF /JS object 138 at offset 0x16112 47 bytes
javascript_obj0170_027.js
f9c454b9bf739f4a88e918fd78866ce97b37e5366c1fdd3a5048f229291cd076		 pdf-javascript-stream PDF /JS object 170 at offset 0x170D6 35 bytes
javascript_obj0171_028.js
4640479262a6e2bd6ef3a88b206cc9cbf4c6c577c88c681b94727dc90bd731ce		 pdf-javascript-stream PDF /JS object 171 at offset 0x17127 35 bytes
javascript_obj0172_029.js
7fddf0133384bb49a5b87cb2cdaa1928f440524537f2188a3c363dcd65ea3f7a		 pdf-javascript-stream PDF /JS object 172 at offset 0x17178 87 bytes
javascript_obj0205_031.js
28c7527ef881c2c84481beeeaca17173fcd897524c3866ed55ab406830103318		 pdf-javascript-stream PDF /JS object 205 at offset 0x17E50 35 bytes
javascript_obj0206_032.js
e526352f0273ed717a7acf68db06e27d683c941ec71e60621ca23e848aeded9a		 pdf-javascript-stream PDF /JS object 206 at offset 0x17EA1 35 bytes
javascript_obj0208_033.js
843139fbe58f4020f9ca4daca070075b3da932a4eab39fc9e81ce391cf353712		 pdf-javascript-stream PDF /JS object 208 at offset 0x17F25 41 bytes
javascript_obj0210_034.js
750c026a4f478475d31f95723584520d2ad084bc594cd6cbd8d743c10095fd2d		 pdf-javascript-stream PDF /JS object 210 at offset 0x18058 42 bytes
javascript_obj0322_035.js
a7bc1f7a9f45e9beaa726772775f0102e0b7bcc5fbe1b3da430757bf7b8840b0		 pdf-javascript-stream PDF /JS object 322 at offset 0x207D0 36 bytes
javascript_obj0618_040.js
858c12ca857900aaebec8d105192b9e5c43d8b5a823d35e52eb3af4527391adc		 pdf-javascript-stream PDF /JS object 618 at offset 0x2B681 34 bytes
javascript_obj2447_041.js
92a943c84987e778fa3772e6235ed8d9f60f438c32bda9dea5e7df91fecb2296		 pdf-javascript-stream PDF /JS object 2447 at offset 0x73421 9791 bytes
javascript_obj2481_042.js
8349077bc9ea23dfd28ed374fa3a1620f910002241afa1922cba72701bca6489		 pdf-javascript-stream PDF /JS object 2481 at offset 0x74931 9794 bytes
javascript_obj2508_043.js
38227dbad7161fc89e29bc57f51fad5bab1b95e2e9011583706c465e7f6a7f27		 pdf-javascript-stream PDF /JS object 2508 at offset 0x268A 8668 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2510_044.js
3f5a767f9bef30d1052725d76be6cb561ee9aed995c65cfe0bf9703b107cc376		 pdf-javascript-stream PDF /JS object 2510 at offset 0x2FE8 1791 bytes
javascript_obj2512_045.js
6973253da093bc525926a71769c424f86da4235fce6749eb371963c7e54e4600		 pdf-javascript-stream PDF /JS object 2512 at offset 0x336A 20324 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 31 eval/decoder/string-building token(s).
javascript_obj2514_046.js
258cce54449cfbf6889e4d9fa4d8835758c66198fd1476b54174a6fc5faa8022		 pdf-javascript-stream PDF /JS object 2514 at offset 0x4412 22718 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 34 eval/decoder/string-building token(s).
javascript_obj2516_047.js
f1a2798053b078aeef7c6daecb27312316237b57f8ed10042a3a6bb22bdb1388		 pdf-javascript-stream PDF /JS object 2516 at offset 0x5A00 21793 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
javascript_obj2518_048.js
e183cfdb18a135a3d733332d0b48c29206c6522e9e044e47308b24076b63fbb4		 pdf-javascript-stream PDF /JS object 2518 at offset 0x6CA7 805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.