Malicious PDF — malware analysis report

Static analysis result for SHA-256 10a569b64e55da7b…

MALICIOUS

PDF

119.9 KB
MD5: 027ac44c9b42bf5ef84a7695584fb0bb SHA-1: 0dba976db1470fe5589174a1d87d9d330c89f24d SHA-256: 10a569b64e55da7bf07ef1431998fc1c1499727dc40bdcc0806983011f229ec0
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript, flagged as an exploit cluster and associated with XFA forms. This JavaScript is likely responsible for downloading and executing a secondary payload, as indicated by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics. The presence of embedded files further supports the payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6789

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • https://www.verisign.com/rpa
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
    • https://www.verisign.com/rpa0
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
b4f489c16aacc4a3f62fba78d0e26e3c5f9d58180e0002f060262d6b24b610de		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x1A3FB 163 bytes
embedded_file_obj0002.bin
a2e48ea644de8f080e6db83402c62c260ea5e4b0531d82695031b7c65fe55862		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1A4ED 1737 bytes
embedded_file_obj0003.bin
8ac72902ae334fe392ebaf4ce645554a8cebdc64a82138cd7895e8e2fda2b450		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1A813 32933 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
bfff1586053f8005ff03b85b76471914c8ed164445b816ae476d50b551f1e7c8		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1C0E4 2860 bytes
embedded_file_obj0005.bin
609985086b771be0c4047efe6ddb5e77a2d617b3e3e0582da6d7979aabf15a58		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1C43A 286 bytes
embedded_file_obj0006.bin
0c13e9948a450ac7f952faeb7598cdd87c762454256478c6419a022f5ffcf091		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x1C513 1535 bytes
embedded_file_obj0007.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1C7D2 80 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1C87B 56 bytes
stream_002_off000003b6.js
f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B6 1313 bytes
stream_003_off00000594.js
1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x594 902 bytes
objstm_0088_00.bin
b12e5b9e1aa2e365e3e74c7092d4789e3d446ae41dd2f8f932b2aa87272911a0		 pdf-objstm-decoded PDF /ObjStm 88 0 obj (inflated) 10953 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
font_00_sfnt_off00000cda.bin
1626e6329f65d0d35cdf751ec668ac4b8800d726707d01e7810bb8297d789dee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDA 94351 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.