Malicious PDF — malware analysis report

Static analysis result for SHA-256 08975c6893caff11…

MALICIOUS

PDF

985.5 KB Created: 2007-03-23 11:58:44 +11:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 6.0.1 (Windows))
MD5: a82c8e124c27f29c618f18d357f6a7d7 SHA-1: 4750543e3b9e8a1502a1d2511cab163e7fe2e4e3 SHA-256: 08975c6893caff11ca3f5d82bd26cc2ca286d6ddcb684ebd2d50c7846e0ae373
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that utilizes eval() and String.fromCharCode, indicating obfuscation and potential exploit activity. The JavaScript stream, when decoded, appears to be a downloader or dropper, likely responsible for fetching and executing a secondary payload from one of the embedded URLs. The presence of an embedded file named 'PM.joboptions' and a JavaScript file further supports this. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9535

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://map.perucultural.org.pe
    • http://perucuzco.com/rupa
    • http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 24

Files carved from inside the sample during analysis.

FilenameKindSourceSize
PM.joboptions
5cf97cfee76c3bcd5d889b3138e05d6571e7d097b173dd3eee4be6813c9dd743		 pdf-embedded-file PDF EmbeddedFile object 228 at offset 0xD29EC 12758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
javascript_obj0089_003.js
df3066947d8f229cdc5ab54fccd89226c8e32a3d39abed1675cd48ccccae2eea		 pdf-javascript-stream PDF /JS object 89 at offset 0x4A1D 9278 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_049_off000981d8.bin
3a3bdb3024c1c7594b559a72219d0970fadb562266d5620594292cb6bda46799		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x981D8 16457 bytes
stream_092_off000ed84d.bin
bb57daef6a5f16139569fd25beec82cabc19b43c498f92b4d5f2c51559875a9b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xED84D 5325 bytes
font_00_cff_off000d9fd9.bin
9abe7060e90ed8be0e1fec89f1a019fbf867283cef4a0debc8b191766beade71		 pdf-font-stream PDF embedded font (cff) at offset 0xD9FD9 6674 bytes
font_01_cff_off000db64f.bin
5c65942f428492c8abc256a1873d1c3e2795d1bdc0e855d06c3532e46e69d4e2		 pdf-font-stream PDF embedded font (cff) at offset 0xDB64F 11628 bytes
font_02_cff_off000dda84.bin
b2c1727f677ffe3dfec9efc001de8c5e4faaa3b9664b51f9075150e21b3e2697		 pdf-font-stream PDF embedded font (cff) at offset 0xDDA84 1739 bytes
font_03_cff_off000de10b.bin
89a4a8dda94376ff41fc66e14938d1343aae1e52401ab0c1ca7dc87b05705dd7		 pdf-font-stream PDF embedded font (cff) at offset 0xDE10B 344 bytes
font_04_cff_off000de2b1.bin
f290febfe9f86dbc8eebd9f05545249d120076d2494b0c17e6fd694db951db59		 pdf-font-stream PDF embedded font (cff) at offset 0xDE2B1 5427 bytes
font_05_cff_off000df3c2.bin
23cc21031d2e5d14daedc236dbf5dda61ff77b869762958f56d5e8c74c924d90		 pdf-font-stream PDF embedded font (cff) at offset 0xDF3C2 4550 bytes
font_06_cff_off000e0383.bin
732ee10c168e303c1c43016af0a795812870fafae85fd701e4462ab7be39ec74		 pdf-font-stream PDF embedded font (cff) at offset 0xE0383 10989 bytes
font_07_cff_off000e25b8.bin
286024b2e1c1cf26dbb20d06dcf67216d33dcddd65487a7c969bfed5d83890b1		 pdf-font-stream PDF embedded font (cff) at offset 0xE25B8 3765 bytes
font_08_cff_off000e324e.bin
c0e3eb9477d2098a35ea52b3a3d44bd668bc8647f27d8d0b5e6717fabbce04e2		 pdf-font-stream PDF embedded font (cff) at offset 0xE324E 5981 bytes
font_09_cff_off000e4721.bin
d8091add2fe5839ae7d6819262ab968261e71c56c89e4c76b50e6d955c781a91		 pdf-font-stream PDF embedded font (cff) at offset 0xE4721 8710 bytes
font_10_cff_off000e6356.bin
72e8655da6974c1a005ce24079cd80acad9bc4c95c6e0d465a85f1bcb433e5e0		 pdf-font-stream PDF embedded font (cff) at offset 0xE6356 146 bytes
font_11_cff_off000e643b.bin
7f5f582bed9380cd2704c3d17a78a339fe597f922bcab47428620dc64c1ea86e		 pdf-font-stream PDF embedded font (cff) at offset 0xE643B 3834 bytes
font_12_cff_off000e7111.bin
2a0957fc9e4ec2619aaea996482308e1547550ad838f9858471cced9d07aec4f		 pdf-font-stream PDF embedded font (cff) at offset 0xE7111 3282 bytes
font_13_cff_off000e78b0.bin
0747bf0982ce38a787d73551ee531011328d6483fa745e3e9c436d086fad9cb6		 pdf-font-stream PDF embedded font (cff) at offset 0xE78B0 20543 bytes
font_14_cff_off000eb451.bin
f77b47d6881cc9918e03da6250e4bddd966705c75b72243401299b6b47a402e7		 pdf-font-stream PDF embedded font (cff) at offset 0xEB451 12390 bytes
font_16_cff_off000ee95c.bin
93aec3901c615fe223cf0d1b99089b90c4496b5ef5d998ccb525b4a8cd4e74c2		 pdf-font-stream PDF embedded font (cff) at offset 0xEE95C 4326 bytes
font_17_cff_off000ef938.bin
3a5dfd1f9eb957ee039d7e49012a41e76f45cd3b6760f556ad86e9f90ac05c20		 pdf-font-stream PDF embedded font (cff) at offset 0xEF938 5038 bytes
font_18_cff_off000f0af4.bin
3d35cd988b24f9766e76ac72688f03029298df676e285947740e08506d26434e		 pdf-font-stream PDF embedded font (cff) at offset 0xF0AF4 2382 bytes
font_19_cff_off000f2d69.bin
6a315c4e6a74aa87bbe309ebbd49ffae0379b12994da202552ac98107857a98f		 pdf-font-stream PDF embedded font (cff) at offset 0xF2D69 8350 bytes
font_20_cff_off000f46f8.bin
93adbde5569c00297551e68ebd8f09443ed004df2653137c81efc7951c2ba93a		 pdf-font-stream PDF embedded font (cff) at offset 0xF46F8 1729 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.