Malicious PDF / .EXP — malware analysis report

Static analysis result for SHA-256 09745a7e8692f67a…

MALICIOUS

PDF / .EXP

375.7 KB
MD5: 628f77cd4ed8b4d43385cb8c3233fa0a SHA-1: 52f8b7e51d2c8d00bde14fda59cea5a231d9060a SHA-256: 09745a7e8692f67ac292a9d820084eb2dbe5c72baae67951c9d78c034535a263
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, which is flagged as an exploit cluster targeting XFA forms. The JavaScript code appears to be heavily obfuscated but likely constructs a URL or command to download and execute a secondary payload. The presence of ML_NYX_PDF_MALICIOUS and PDF_JS_EXPLOIT_CLUSTER heuristics strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9644

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0044_000.js
e77dc9aaa7c96a4c089b98c43209110ef939e2a24dd33eb056b144bbd404b34f		 pdf-javascript-stream PDF /JS object 44 at offset 0x33C9 10108 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
font_00_cff_off000063cc.bin
ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5		 pdf-font-stream PDF embedded font (cff) at offset 0x63CC 1138 bytes
font_01_sfnt_off000071be.bin
e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71BE 8084 bytes
font_11_sfnt_off0001c776.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C776 65932 bytes
font_12_sfnt_off0002cb9f.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CB9F 65932 bytes
font_13_sfnt_off0003cfc8.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CFC8 65932 bytes
font_14_sfnt_off0004d3f1.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D3F1 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.