Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f96f9013db6ceec…

MALICIOUS

PDF

97.0 KB
MD5: 72cc5773b047818f8442d9d9f2c194ae SHA-1: f5c5e09da4812cf242d8347b4d4c60271bcb485b SHA-256: 0f96f9013db6ceec323ee56b2368657e8a57ecbdb93dfb2e7f74dca3fca0acfd
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and triggers exploit cluster heuristics, indicating it is designed to execute malicious code. The presence of XFA forms and the use of String.fromCharCode further suggest an exploit targeting PDF vulnerabilities. The primary IOC is the obfuscated JavaScript stream, which likely contains the logic for downloading and executing a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5828

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adobe.com/go/reader_download
    • http://www.adobe.com/go/acrreader
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://cgi.adobe.com/special/acrobat/update
    • http://www.xfa.org/schema/xci/3.0/
    • http://www.xfa.org/schema/xfa-template/3.0/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.8/\
    • http://www.w3.org/1999/xhtml\
    • http://www.xfa.org/schema/xfa-data/1.0/\
    • http://www.xfa.org/schema/xfa-locale-set/2.7/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000398.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x398 1363 bytes
stream_003_off00000575.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x575 902 bytes
stream_008_off00000e83.js
e6103c82f30cd8596a423b7d63ccaa07a26d141c76c630eb1ff65a7e11e57862		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE83 2856 bytes
stream_009_off0000129f.js
265b766826bfb8654cd0c67dd5320fc0f8f37695a8175ec345158199f40ac662		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x129F 247985 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_010_off0001647d.bin
984e33597cee6a139b4eb9668deb8ae3fd023cb2f29b1dac2e77dd6be0d9a93d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1647D 2893 bytes
stream_012_off00016a1e.bin
90938f9e3cdf6db2eeee31ed7c949f3b0952b799b670df73d2e56d31bfcc8d34		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16A1E 121 bytes
objstm_0030_00.bin
1be499ab17b378d1e2efddf2d1a32091da1df347f5cf972ce59520b4cf3a692b		 pdf-objstm-decoded PDF /ObjStm 30 0 obj (inflated) 618 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.