Malicious PDF — malware analysis report

Static analysis result for SHA-256 0795682d8edbaf65…

MALICIOUS

PDF

31.5 KB Created: 2010-02-28 19:44:45 +03:00 Authoring application: bcComesMore (via 0055a5709f2388ee34e6a39c4719fccb)
MD5: 225d265bba6d3e8d1653cfa6c8395b10 SHA-1: f190936cb98e26ad9c1172d3dffc4357de0e6ab7 SHA-256: 0795682d8edbaf65bf12e8db3936be8c545eaa5155b2b83ec1066333a4bcfd97
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains multiple embedded JavaScript streams, indicating an attempt to execute malicious code. The ML classifier strongly flagged this PDF as malicious. The JavaScript code appears to be obfuscated but likely aims to download and execute a second-stage payload, leveraging the 'app.doc.keywords' and 'app.doc.title' properties for obfuscation or configuration. The presence of JavaScript actions and filters like ASCII85Decode further supports the exploitation of PDF vulnerabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 4

  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
d487672276ba280caa5ae7e29b462b695ec15f22aed3a1a74decb5532b46f45b		 pdf-javascript-stream PDF /JS object 14 at offset 0x1CB8 114 bytes
javascript_obj0016_001.js
60912f63a832da5a71620ee7e650857c46ec575348d4f57c83cce1220e1b1baa		 pdf-javascript-stream PDF /JS object 16 at offset 0x1DD1 37120 bytes
javascript_obj0018_002.js
16f6cb466e64b4c2e123d7485c4c4ca666fd50b722a5c2a4336ab60f8975b265		 pdf-javascript-stream PDF /JS object 18 at offset 0x77E9 83 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.