Malicious PDF — malware analysis report

Static analysis result for SHA-256 1675fd029cc7312b…

MALICIOUS

PDF

1.2 KB
MD5: 66026e2e6aad4fd6efc7533e2fb503e6 SHA-1: 573bf74cc2cd765941f5c5a9a58353f96962bede SHA-256: 1675fd029cc7312b86c8334abedbba1ddf7c5c4264a1c60cbd9c8ed4986edc57
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that automatically attempts to submit form data to a remote URL upon opening. This script is designed to trick the user into believing they are decrypting a message or viewing content, but instead, it sends their data to the attacker-controlled domain. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or credential harvesting lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORM
    PDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
  • ClamAV: Pdf.Dropper.Agent-7232911-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7232911-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://messaging-security.comano.us/XcmVxjaXBpZWJ50X2lkPTMMyMTc4htMTE2yMSZjYW1wlYWqlnbl9ydW5faWQ9OTkxTNTMwJmFjdGlvbj1hdHRhY2htZW50#FDF
    • http://messaging-security.comano.us/XcmVxjaXBpZWJ50X2lkPTMMyMTc4htMTE2yMSZjYW1wlYWqlnbl9ydW5faWQ9OTkxTNTMwJmFjdGlvbj1hdHRhY2htZW50
    • http://messaging-security.comano.us/XcmVxjaXBpZWJ50X2lkPTMMyMTc4htMTE2yMSZjYW1wlYWqlnbl9ydW5faWQ9OTkxTNTMwJmFjdGlvbj1hdHRhY2htZW50�F

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
f07ecb2da96d6fe2217a3e6c164f3a53ddc4f06573c301882cacebc047f99976		 pdf-javascript-stream PDF /JS object 7 at offset 0x30D 155 bytes
javascript_obj0007_001.js
8d2f3fa77519ff36b9d2c7ee6a4d1e96f179953d4453f7dda6a6de1fb74e2fa6		 pdf-javascript-stream PDF /JS object 7 at offset 0x30D 153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.