Malicious PDF — malware analysis report

Static analysis result for SHA-256 04ce587ab16d1940…

MALICIOUS

PDF

946.7 KB Created: 2010-06-11 23:23:27 +08:00
MD5: a309c62c501cf480d53c5e5fe92345b8 SHA-1: 88b8be475174d6a0d8353fdabfe323130338d44a SHA-256: 04ce587ab16d194049751f3787e5df9dc2583676811fdc13bd0194ccbda39996
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains JavaScript that is flagged as an exploit cluster, specifically leveraging XFA forms. This script is designed to download and execute a secondary payload from the embedded URL. The presence of multiple embedded files further supports the payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 10

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
84270147774bafb693cefa5666d1072d25266372a748def076468f6f646a453f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x128F 163 bytes
embedded_file_obj0002.bin
a8b1b6c4a7495d6353e06643ee59323911843844524450bf1068d247661813e3		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1380 1590 bytes
embedded_file_obj0003.bin
bce51576f361c2a5cb1b5786fb6626eb34a5bbe13e3cf964f10d091b40da35a9		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167B 4747 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EBF 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FAD 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2327 200 bytes
embedded_file_obj0007.bin
733f6d5b45b2367069129a768a516fb18c67d8eea786404ef5632cf493f4226c		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x241A 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25F2 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
76654a8c7f3db10d22b5fa1d52fd1e1da1b4bd281c96ca56b72ac17ad2ca1c62		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.