Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a326eb9a416f039…

MALICIOUS

PDF

60.9 KB Created: 2017-05-23 13:08:53 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 6f3090cf5fb621de204659b57a69c257 SHA-1: b19e4941f07bd190258335e5e7505cb0d2a8cc8a SHA-256: 0a326eb9a416f039be104bb5f199b7f3442515f88bd5c7ad1492b1721c174b8e
278 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript that is obfuscated and attempts to export a data object, likely to facilitate the execution of an embedded malicious file. The critical heuristic PDF_JS_EXPLOIT_CLUSTER, along with ClamAV detections, strongly indicates malicious intent. The embedded artifacts include a Microsoft Word document (GYTKPVM.docm) and an Excel file (1.xlsx), suggesting a multi-stage attack where the PDF acts as a dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Doc.Downloader.Jaff-6316585-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jaff-6316585-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
GYTKPVM.zip
903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x8D2 116 bytes
1.xlsx
95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xA24 7723 bytes
GYTKPVM_1.txt
7da2181b90fbee9faefb469f00d6e5fe18e4da5aaee57a278d5e7d9c9182cdb9		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x203B 38 bytes
GYTKPVM.docm
1021578667c6752cc3c9ddc2091339a490ae0a6ecee695fbec9f5ae6ff412a4b		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x2137 62550 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6316585-1
Obfuscation or payload: unlikely
javascript_obj0016_000.js
bec5ea2f3f568c188145e95a0111bb1f5174bc8d0816fbb354732f7bce5729ae		 pdf-javascript-stream PDF /JS object 16 at offset 0xE2BA 42 bytes
javascript_obj0020_002.js
9f21eed4d76aba6a6993c447d0cc77470af2201ffe8938b02c66c7b2cd3ef7e7		 pdf-javascript-stream PDF /JS object 20 at offset 0xE6D6 40 bytes
javascript_obj0023_005.js
bd41f6b1362d3fc13e4b81b89a1ac96240147a66860aaf7d4eba0530d4359e7d		 pdf-javascript-stream PDF /JS object 23 at offset 0xE7A2 48 bytes
javascript_obj0028_006.js
9e76a52e66e3c67ec18bf61653ea3abff60ac6527ddfe5494a9e8be64e04fe20		 pdf-javascript-stream PDF /JS object 28 at offset 0xEBC0 44 bytes
javascript_obj0017_008.js
675af4f4360307173b0227ca55bfa9a0016ffe54d159d98ef215e85f333dd8ea		 pdf-javascript-stream PDF /JS object 17 at offset 0xE30D 2500 bytes
javascript_obj0024_009.js
e28ec4fc24a68b846c78647d7004f176ef63c408ed3a88c226a1d8b4ff635377		 pdf-javascript-stream PDF /JS object 24 at offset 0xE7FC 976 bytes
javascript_obj0026_010.js
544e27854e7b7a8879e59d293ec1dd49ea158131bba0650dc30b5a36bd1b089f		 pdf-javascript-stream PDF /JS object 26 at offset 0xE9FF 882 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.