Malicious PDF — malware analysis report

Static analysis result for SHA-256 0dfcbb3e0e826d23…

MALICIOUS

PDF

94.3 KB Created: 2007-03-09 11:40:46 +01:00 Authoring application: The AcroTeX eDucation Bundle (via pdfTeX-1.40.3)
MD5: 1ce7c5de5ca24fa36432f33c08e2c6c7 SHA-1: e2ea91fb60a460f79827591dc71221748b5fb118 SHA-256: 0dfcbb3e0e826d238c4cfdc73e7531b4d9aed63c2f3183764a3cf88e5925d9e0
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains multiple embedded JavaScript streams, with a critical heuristic firing for a PDF JavaScript exploit cluster. The JavaScript code appears to be designed for evaluating mathematical expressions and includes functions for checking balanced parentheses and validating mathematical syntax. The presence of `eval()` calls and the ML classifier's high confidence indicate a malicious intent, likely to exploit a vulnerability within the PDF viewer or execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9668

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
81ee36913fe8ee5982c4ec45e83feae0150d97d2f55255b8f33e857de775dc2d		 pdf-javascript-stream PDF /JS object 15 at offset 0x4D3 163 bytes
javascript_obj0016_001.js
d5f895113bcf5bd92f48fd8a79e66ee8dffdb00de645fdcc31b3cf7bc7c5aa6f		 pdf-javascript-stream PDF /JS object 16 at offset 0x5B9 934 bytes
javascript_obj0016_002.js
0aff4f995fbc6af3aafb16c9ced493276412d9fe60f6aaa0df2cd25f4cd916e3		 pdf-javascript-stream PDF /JS object 16 at offset 0x5B9 181 bytes
javascript_obj0017_003.js
156d1e83dba5cedb7ae3e162ff15846265d2b7a8e26d5b3311e0f49f5bc71e27		 pdf-javascript-stream PDF /JS object 17 at offset 0x9F4 9446 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 eval/decoder/string-building token(s).
javascript_obj0017_004.js
f531222f36bde7e3702f4676fcfb8df0304f583b3a6dd8589a8c6553a8d55972		 pdf-javascript-stream PDF /JS object 17 at offset 0x9F4 47 bytes
javascript_obj0018_005.js
6dafa9801ae1887e4595da1dd9c09320d21d69198f720d918aeefca040d46eb0		 pdf-javascript-stream PDF /JS object 18 at offset 0x32E1 1703 bytes
javascript_obj0019_007.js
cd6bc202d687fff0840edfc71b77258e20fe4a92939fa598e4d8b41d9ebe8f90		 pdf-javascript-stream PDF /JS object 19 at offset 0x3A47 9373 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0020_009.js
eaac58d49614c5669b522b08e820252bfbb406094d457a8d9c7f5ac9427f0a41		 pdf-javascript-stream PDF /JS object 20 at offset 0x6237 2200 bytes
javascript_obj0020_010.js
fa562bd65a6760194901727d09a59bbbee66e5103d64da03231924d40b86ed59		 pdf-javascript-stream PDF /JS object 20 at offset 0x6237 45 bytes
javascript_obj0021_011.js
7848c46c7aedb832af848a617068ebd3b85a506a927fe348247da262e4726217		 pdf-javascript-stream PDF /JS object 21 at offset 0x6BDE 716 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0021_012.js
f8fbc068303dfbb938e728f72740d0f912412a87cab49f909f5db09c0a6393d7		 pdf-javascript-stream PDF /JS object 21 at offset 0x6BDE 51 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0022_013.js
897f01c323e4a6b6b37280827fdad4ad5c2c49daff69ac6c1881eaaf93b5ea54		 pdf-javascript-stream PDF /JS object 22 at offset 0x6F1A 112 bytes
javascript_obj0023_014.js
cd074c33091c566e0b6de6c9c81a86841932f0779edadd6e84b7fb9b2ccdabc4		 pdf-javascript-stream PDF /JS object 23 at offset 0x6FC7 1694 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
javascript_obj0023_015.js
9c8e131e39b271c45fec5e60193978a6a47db104b9a1d3cd0699664c65db2959		 pdf-javascript-stream PDF /JS object 23 at offset 0x6FC7 36 bytes
javascript_obj0024_016.js
2794bc21572ad20b6eeda355f21aaed4530a30de4e581ead9a9dbd31509e0b7c		 pdf-javascript-stream PDF /JS object 24 at offset 0x772F 4363 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0025_018.js
f3ec06f97322f3d48513dc5be2c797d8d532d7ce4491dfa434dd1ca1c329bf0b		 pdf-javascript-stream PDF /JS object 25 at offset 0x8A1B 3556 bytes
javascript_obj0025_019.js
e01e90c5bc275585ecdcdf5fdb280d54d672953ac7a241bf0e7274229cea5dd2		 pdf-javascript-stream PDF /JS object 25 at offset 0x8A1B 204 bytes
javascript_obj0054_030.js
3c4d8e24e11f249ee5ac0fad30fc0807d68334191d61155fd1da26e1cf74eab3		 pdf-javascript-stream PDF /JS object 54 at offset 0xB671 200 bytes
javascript_obj0060_033.js
c45db5818946bca2e52fb624b99ef6e7bd3d5ba645013587f57a6d053f1d8232		 pdf-javascript-stream PDF /JS object 60 at offset 0xBAD4 198 bytes
javascript_obj0066_035.js
5f4802d52f43dbbd91c26452b24ef9d0abaefe8c10310a55cb1fd7d008733042		 pdf-javascript-stream PDF /JS object 66 at offset 0xBF36 200 bytes
javascript_obj0082_040.js
368b0461c5bb7ab2eaf3ab881e2dd8e94af8168336fb243f9f810e14da32e1d4		 pdf-javascript-stream PDF /JS object 82 at offset 0xCBCD 226 bytes
javascript_obj0089_042.js
dade60db0892f5077dbc978ed029d93d9b697cee55617d15db73f1b594a3873f		 pdf-javascript-stream PDF /JS object 89 at offset 0xD065 231 bytes
stream_013_off0000ee43.bin
3723faee4882397e36c8dbadf3272900334d8c6d26041167a18580b090c7a82a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEE43 2569 bytes
stream_014_off0000f8b4.bin
461c007959765cc9d7a837436d936ecaad07534dac1ea7b855498f1146d5cf18		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF8B4 11776 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_01_type1_off0001261e.bin
dbab26b9e9d89bbb0d00262461da26e552a1b1ed12e88fede3e572aad218c190		 pdf-font-stream PDF embedded font (type1) at offset 0x1261E 1954 bytes
font_02_type1_off00012e3b.bin
81db178602479728492417717a8b5dac39a7e7670598a944e691be9c67cba278		 pdf-font-stream PDF embedded font (type1) at offset 0x12E3B 3505 bytes
font_03_type1_off00013c47.bin
50765a7a7f4520d41377e9496ea6c0fbd45529fb04db50e0f0abb38e300debe4		 pdf-font-stream PDF embedded font (type1) at offset 0x13C47 2519 bytes
font_04_type1_off00014674.bin
ab18479df416af75ed9b452d33814215624d0f58d984b5a37fb7a85fea1d4979		 pdf-font-stream PDF embedded font (type1) at offset 0x14674 5364 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.81, consistent with packed or encrypted content.
font_05_type1_off00015b86.bin
b090debfaaad5a20442f5e9058149507188854acbff2427c0139966c48e63b8d		 pdf-font-stream PDF embedded font (type1) at offset 0x15B86 2557 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.