PDF malware analysis — malicious · 0f1414cdaf75a370

MALICIOUS

PDF

146.7 KB

MD5: a69cbb709208c237386e2b9932924d40 SHA-1: d96a94f095c4f2411f7bfef86d4148b70318e3ef SHA-256: 0f1414cdaf75a3703110e6368c07b6c053c7c16ef9b89f713bc62d60a2d776dd

76 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that utilizes the syncAnnotScan function and retrieves annotation names and subjects. This JavaScript is likely intended to exploit a vulnerability within the PDF viewer to download and execute a secondary payload. The ML classifier strongly indicated maliciousness, and the presence of JavaScript actions and streams supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.9153

Heuristics 5

ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN

PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.iec.ch

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `65e6cc05a19eb53c2156c3d9f65721f01f3c6472dfb42e9210850a28d9f6f257`	pdf-javascript-stream	PDF /JS object 17 at offset 0x35C	120 bytes
`deobfuscated.js` `af5501d4bbd589b23970ff2070969be65583a6053be3b02db3fbe6dbb5f0c7d2`	deobfuscated-js	PDF JavaScript deobfuscation pass	908785 bytes
`font_00_cff_off000049a7.bin` `38cd02761c6da2a2c7c5d41cbb937f7d5a9b2ac0aa4a2a519b84785c2d82e7c2`	pdf-font-stream	PDF embedded font (cff) at offset 0x49A7	4095 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.