Malicious PDF — malware analysis report

Static analysis result for SHA-256 0560549107418d56…

MALICIOUS

PDF

147.3 KB
MD5: 10ea48217276e869daece8c71356d33d SHA-1: 4e59586db2a663683f64e5f4c2c4089f169a11ac SHA-256: 0560549107418d5625f445497cc230959df1fd44c7746d68309f2a80ef7cbe7e
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and XFA form elements, which are frequently used to exploit vulnerabilities in PDF readers. The critical heuristic 'PDF_JS_EXPLOIT_CLUSTER' strongly suggests an exploit is present. The embedded JavaScript is likely designed to download and execute a second-stage payload from a remote server, as indicated by the presence of an embedded URL. The specific exploit and payload are not fully discernible from the static analysis, leading to an 'unknown family' classification.

Machine Learning

  • Nyx PDF Classifier clean score 0.0246

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.irt.org/script/146.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.opengroup.org/onlinepubs/009
    • http://www.w3.org/2001/XMLSchema-instance
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://ns.adobe.com/xfdf/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0071.bin
d6f4fcfa05788bb0581471129fb7f6e5e377d5680e5666f7e229e153de1e60b6		 pdf-embedded-file PDF EmbeddedFile object 71 at offset 0xE2CB 2047 bytes
embedded_file_obj0072.bin
783244120be9b2a75c25b0ceb972aee547582d1bd33cdd21bf2249250b0e5d1f		 pdf-embedded-file PDF EmbeddedFile object 72 at offset 0xE665 47096 bytes
embedded_file_obj0074.bin
1ad709309a1427155461a94d529c0a8659e2a614eabeacd49c8872587c1674c4		 pdf-embedded-file PDF EmbeddedFile object 74 at offset 0x112C9 2403 bytes
embedded_file_obj0075.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 75 at offset 0x115A5 200 bytes
embedded_file_obj0076.bin
032133fdd6ec06edb954c63a2da8990f2012f70b52cc21539cd375c5df823b52		 pdf-embedded-file PDF EmbeddedFile object 76 at offset 0x1169A 1718 bytes
embedded_file_obj0077.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 77 at offset 0x1195B 80 bytes
embedded_file_obj0919.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 919 at offset 0x1EE35 85 bytes
embedded_file_obj0920.bin
bd4d28828dfb874f8a6f6db916f0b0594bb0a89e14c2fb4df705870700392041		 pdf-embedded-file PDF EmbeddedFile object 920 at offset 0x1EEE9 608 bytes
embedded_file_obj0921.bin
bd7c5e9b1088a5beb8c4f0c99695aed126034de28593e1974fe7b1fa7809b57b		 pdf-embedded-file PDF EmbeddedFile object 921 at offset 0x1F099 750 bytes
stream_115_off0001709f.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1709F 1532 bytes
stream_116_off0001728b.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1728B 870 bytes
objstm_0978_00.bin
f8dbb10e93ee29c691315ebf5d4b116a3d1675ef6fa3773773b9691c1b4e45da		 pdf-objstm-decoded PDF /ObjStm 978 0 obj (inflated) 6459 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
font_00_cff_off0000993b.bin
3bdb39e33bc392014082785b6e5776da9a3ca4ddeb261af7329810abc0b1b8e8		 pdf-font-stream PDF embedded font (cff) at offset 0x993B 1546 bytes
font_01_cff_off000176bc.bin
b6881477c4eea3eb92b72881da1b6d614862a5ea8b479bf506fa15665b423e70		 pdf-font-stream PDF embedded font (cff) at offset 0x176BC 6704 bytes
font_02_cff_off0001916a.bin
cf08316f86865b7b04017d579a2704ae920225d47354aa549f69cb752312538f		 pdf-font-stream PDF embedded font (cff) at offset 0x1916A 7141 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_03_cff_off0001ad5d.bin
d32a50b83ac4a7030767fb3bb5f47b550738736236d25b0cdeebb1f2d06aa930		 pdf-font-stream PDF embedded font (cff) at offset 0x1AD5D 2079 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.