Malicious PDF — malware analysis report

Static analysis result for SHA-256 066752ef44a5f89b…

MALICIOUS

PDF

107.9 KB Created: 2008-10-28 08:48:44 +01:00 Authoring application: Adobe LiveCycle Designer 8.0
MD5: bfe23962c62693769025494e9f956735 SHA-1: 87ed4be5d2183dedff7e53811b5141e109f15b7d SHA-256: 066752ef44a5f89b4aa3837050d76f1f369612b1d7b0ca892dceb062e0e6ac1d
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript and XFA form elements, which are known vectors for exploiting PDF vulnerabilities. The JavaScript code attempts to prompt the user to update their Adobe Reader or Acrobat, directing them to a URL that is likely used to download a secondary payload. The ML classifier strongly indicates maliciousness, and the presence of exploit cluster heuristics further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://ns.adobe.com/xfdf/
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0003.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x16C5C 85 bytes
embedded_file_obj0004.bin
4ef325b14263b6d2a555899e073fa1dddfb6c4c8c0c04ff8f091aab985759e86		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x16D0F 3349 bytes
embedded_file_obj0005.bin
1038c6bb93a8996df91f44e08574655ed3a00f34bb6c4aab666664a525fbee5c		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x171CA 40618 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0006.bin
a8d2cd1302a8c7607ceca6ddec6efe61839bcac8f71b8bc5932623262cbe2d70		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x194A4 2415 bytes
embedded_file_obj0007.bin
7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x19792 214 bytes
embedded_file_obj0008.bin
e6fd0d1d39ba91b7ced8bae2ef133ca462ac25844f177d7c9c8d8c79753b74c1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1988C 157 bytes
embedded_file_obj0009.bin
bae3c7e4f42a8f21274a6d6659b5ef39889d1c4f4d6acad3f7207126402cf6f3		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x19957 799 bytes
embedded_file_obj0010.bin
b1b296d371e691ae903fc90e2f3bd69eeac3730137d7c7f5d9379aed02cb51d6		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x19B67 110 bytes
javascript_obj0046_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 46 at offset 0x6F6 1535 bytes
javascript_obj0047_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 47 at offset 0x8E1 870 bytes
javascript_obj0048_002.js
f818e05264775fea0eb227255ff8484376757141decbcbc69724ac650f3c7c50		 pdf-javascript-stream PDF /JS object 48 at offset 0xA3B 3795 bytes
stream_007_off00002299.bin
32bdb0d084cec8e2b99ccd3f6f63674695356aef137f62a023b0e88696da6147		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2299 78325 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.