PDF static analysis report

Static analysis result for SHA-256 0cedb79309062e8c…

SUSPICIOUS

PDF

74.8 KB Created: 2003-02-14 19:44:17 +09:00 Authoring application: Adobe Illustrator 9.0.2 (via Adobe PDF library 4.800) First seen: 2014-06-27
MD5: 520867d8359afcf4774846c77efce3b2 SHA-1: ae9b75ef784d207205ec8db1474869c3871b1bc3 SHA-256: 0cedb79309062e8c137e85cebf33087f596e9bce50bdf8ee37fb674ae65a7a30
50 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF file flagged as suspicious by an ML classifier. It contains multiple embedded JavaScript streams, indicating an attempt to execute code. The JavaScript appears to be related to date formatting and user identity, which could be part of an exploit chain or a lure. The presence of JavaScript actions and streams strongly suggests an attempt to leverage client-side execution vulnerabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7538

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0122_000.js pdf-javascript-stream PDF /JS object 122 at offset 0x2614 80 bytes
SHA-256: 4b472120289e2531cfc48a07fdb6cdd5fd1a7dd6fe07deabdcab72ba2d239b1f
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("mm/dd/yy, tt hh:mm");
javascript_obj0082_001.js pdf-javascript-stream PDF /JS object 82 at offset 0xB5D5 84 bytes
SHA-256: 65e9a29d746d5dddb837ecf61cddc8549317c2e34bc5889766d31ed5439d0d72
Preview script
First 1,000 lines of the extracted script
event.value = (identity.corporation || (event.source.source || this).Collab.user);
javascript_obj0140_002.js pdf-javascript-stream PDF /JS object 140 at offset 0x10FD1 79 bytes
SHA-256: ff82fe1247e31eab1f429a064980aec94a640160609b26aa171cf86daf6cd9ea
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("yy/mm/dd, tt h:MM");
javascript_obj0147_003.js pdf-javascript-stream PDF /JS object 147 at offset 0x12882 76 bytes
SHA-256: 4d0f3be7848db631ee44568e4d096d75a3e3a20a583d93883aa3008d83b81e86
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("yy/mm/dd, H:MM");
javascript_obj0067_004.js pdf-javascript-stream PDF /JS object 67 at offset 0xAAF6 272 bytes
SHA-256: cd068f7b15411da4ca8e984d2d5ec9ea48677b62a662ffa363b2a74676f3c653
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("mm/dd/yy, tt hh:mm");
event.value = ((!identity.name || identity.loginName != (event.source.source || this).Collab.user) ? (event.source.source || this).Collab.user : 

identity.name) + "(" + event.value + ")";
javascript_obj0135_005.js pdf-javascript-stream PDF /JS object 135 at offset 0x10C96 271 bytes
SHA-256: 9bac49d80427a062eedcdc4b3d8f8b615b55f8e47b9c01e64514b5eb60427349
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("yy/mm/dd, tt h:MM");
event.value = ((!identity.name || identity.loginName != (event.source.source || this).Collab.user) ? (event.source.source || this).Collab.user : 

identity.name) + "(" + event.value + ")";
javascript_obj0142_006.js pdf-javascript-stream PDF /JS object 142 at offset 0x1254A 268 bytes
SHA-256: c6f2d0e458a52929d53aa76f0c08434014e7b5a46072dd3419696fdcc6db76e6
Preview script
First 1,000 lines of the extracted script
event.value = (new Date()).toString();
AFDate_FormatEx("yy/mm/dd, H:MM");
event.value = ((!identity.name || identity.loginName != (event.source.source || this).Collab.user) ? (event.source.source || this).Collab.user : 

identity.name) + "(" + event.value + ")";