Malicious PDF — malware analysis report

Static analysis result for SHA-256 084daaea1f29ccb4…

MALICIOUS

PDF

289.1 KB
MD5: 3119cc5a01cdd72f593c82ce1490fa3f SHA-1: 4f6ef306ba9d2e4c6e097a2d70baeaec2a69d6b7 SHA-256: 084daaea1f29ccb414c8f03b499defeb293505c47579b13b0f79aa19dd58618d
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains JavaScript that is flagged as an exploit. This script likely attempts to download and execute a secondary payload, as indicated by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics. The embedded file 'embedded_file_obj0015.bin' is a strong candidate for this payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0140

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/2001/XMLSchema-instance
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0013.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x29013 85 bytes
embedded_file_obj0014.bin
9c49c1f93f3922ffae9e9c9113cc2b49dfa6ad3d35bc0623fc9693fa7ce304c8		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x290C6 1890 bytes
embedded_file_obj0015.bin
dac1d55fc96bbd583543a0652f04da5e92562a9c5c7b8c9790a46182717d8c6a		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x293FC 90810 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0016.bin
9896024757c4b517bf226b0339914fc69e0475c821f97f8417c5ec64cbb2f913		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x30DED 1371 bytes
embedded_file_obj0017.bin
b0530d8d0be541e9a89521e93c826333096ef09af55363c5ed1bf0973704a1d2		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x30FDD 2920 bytes
embedded_file_obj0018.bin
5c9f155d26a9fee2d6bd46b20b0b757faa80379e20b6b2d094932ca3ac169d0a		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x3135A 1512 bytes
embedded_file_obj0019.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x315F5 80 bytes
embedded_file_obj0020.bin
286f6586cebb0aa10f3d0293a92622911d7ff2c05f2105c0aa1ec8de911daadd		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x316A0 694 bytes
stream_002_off000032bb.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32BB 1604 bytes
stream_003_off000034a4.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34A4 902 bytes
stream_033_off00018dfd.bin
f7508c28a7edc38a47f18e46f27dfcc8d68fdf7fdbb6c93508a754d7212d24de		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18DFD 46192 bytes
stream_053_off00031872.bin
44ee777e12ca89be1bdc40ff1427d4992f9ca8b220dd0ac90509a3a3ca696cbd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31872 87839 bytes
stream_061_off00048205.bin
1c6bc5ce763434298274b8885e96efb15bf5c550ee25e6d042389a372e820425		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48205 502 bytes
objstm_0301_00.bin
ea42aecff1358160c447d9b283f46adaa2fa38259bc7ff8352ab42fc44d9eb03		 pdf-objstm-decoded PDF /ObjStm 301 0 obj (inflated) 16298 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
font_00_cff_off00003cac.bin
89dfde951485370b4b117b3d87067852f2852029bd11ebcf2817dbc2e5812d7d		 pdf-font-stream PDF embedded font (cff) at offset 0x3CAC 85641 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_01_cff_off00040097.bin
76911b10d0e3a599e9481f5f3f875b0c2432bd33d8fdbfffa37a22aac7e76b24		 pdf-font-stream PDF embedded font (cff) at offset 0x40097 31706 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.