Malicious PDF — malware analysis report

Static analysis result for SHA-256 0873b4f072b9198f…

MALICIOUS

PDF

475.3 KB Created: êr²é¨åö;DjàÇUØ:@9G•gÆ Authoring application: Ý?éªëº©z+ñ¥S˜|f 
MD5: 61534ad8920bc9ff52fd36a348ddc884 SHA-1: 981a9fa94b1152e02438c07153720019099401a4 SHA-256: 0873b4f072b9198f9fbea1d727c7866df98e2f6cb4f51763db23662d07cc34bd
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document is flagged as malicious by an ML classifier and exhibits characteristics of an advance-fee scam. It contains embedded JavaScript which is likely used to hide malicious content or execute further actions, as indicated by the 'PDF_ENCRYPTED_WITH_JS' heuristic. The document's content and structure strongly suggest a phishing attempt designed to lure victims into a financial scam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9411

Heuristics 9

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pajhome.org.uk/crypt/md5
    • http://ocsp.verisign.com0
    • http://www.linotype.com0
    • http://www.iec.ch
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://crl.verisign.com/tss-ca.crl0
    • https://www.verisign.com/rpa
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
    • https://www.verisign.com/rpa0
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
    • https://www.verisign.com/rpa01
    • http://crl.verisign.com/pca3.crl0

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0205_003.js
88cf83eacfa4ab997462d207c0c2ed6b53626fc3794ce976e7bdf29d2c84f5d4		 pdf-javascript-stream PDF /JS object 205 at offset 0x17387 213 bytes
javascript_obj0207_004.js
f24f44ca9d60dd42a63432989aaa4b625b3f58ca8efbcc9b7f760bb4a53d1e2a		 pdf-javascript-stream PDF /JS object 207 at offset 0x1755A 107 bytes
javascript_obj0491_005.js
c38400d86732ecb63a091edcdddee6ee8fa202e904f5c97c888261cde9e2d488		 pdf-javascript-stream PDF /JS object 491 at offset 0x2A472 8244 bytes
javascript_obj0492_006.js
157d94c4373fc7674528b2b92bd73c7fb605ba41abc50f521589bd013af87b68		 pdf-javascript-stream PDF /JS object 492 at offset 0x2ABF4 21193 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0493_007.js
e6148b768af5b12460cf3e62fbab899b427b7493847763e208cddbfbe94685cd		 pdf-javascript-stream PDF /JS object 493 at offset 0x2CDB0 33138 bytes
javascript_obj0494_008.js
39870fa639023e1c1037025cd3aff7476ca1e512085ebc575525ff8b7602dd07		 pdf-javascript-stream PDF /JS object 494 at offset 0x2F3D2 144011 bytes
javascript_obj0495_009.js
49d177a22a6b482854905dd529ff39079414987568d0f17e2a38712e3367763b		 pdf-javascript-stream PDF /JS object 495 at offset 0x3C097 8595 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0496_010.js
f667de1ba2f5689c2db6ca8efec22f4cae905543c7e55765301e47c9d3e39d66		 pdf-javascript-stream PDF /JS object 496 at offset 0x3CC4E 1049 bytes
javascript_obj0497_011.js
6bf6a9f966c7e84faccf5e1acbfdf2980a18334f7c940bcfc5fb9e40ee1ba433		 pdf-javascript-stream PDF /JS object 497 at offset 0x3CEDD 10822 bytes
javascript_obj0498_012.js
38eb6503816e93b4e38a8799ed0489e22a78ea46de65bfdb94078651c338d95e		 pdf-javascript-stream PDF /JS object 498 at offset 0x3D6F4 16058 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0499_013.js
171aac8e2208b35087228e919d8c6b105689701aebd7f411e407cdb6ab3fbd35		 pdf-javascript-stream PDF /JS object 499 at offset 0x3DFBA 14156 bytes
javascript_obj0500_014.js
e4d35fcb7e7068e792331bae5b86b95b7acc3f6ffc1b7ca8c13fa98fcc57fce3		 pdf-javascript-stream PDF /JS object 500 at offset 0x3ED5A 24823 bytes
javascript_obj0501_015.js
e112504c3e077a4040d2000503aae4ef8e195ed2dc59ba49e8cae4e77c4c2928		 pdf-javascript-stream PDF /JS object 501 at offset 0x40740 222716 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
icc_00_off00050f15.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x50F15 3144 bytes
font_00_sfnt_off00054d19.bin
85c813e09952be46fcfcbd51852effad0f749d2257b07cbbcc311b2748bcca45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54D19 88232 bytes
font_01_sfnt_off0006758e.bin
cc076de55c832733b65771a0e0afd20aaedc0f414457e018d1ac0f27cac002f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6758E 13652 bytes
font_02_sfnt_off0007575f.bin
a0070fe3c7a2a32579d70ed82af77041a0e40eb3db6c7fc8af4c14f419f202b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7575F 9716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.