Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ab8ee1a0f2c0870…

MALICIOUS

PDF

1.95 MB Authoring application: substr
MD5: 27326ecb7be7371162a77ef6a5a6f5b0 SHA-1: 021c309dec8a3f56cf1a2f917efbb999af52f9bc SHA-256: 1ab8ee1a0f2c0870bad7bc54e18783cb4ee902aca4e29587560738ab1f9ba69d
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file exhibits multiple heuristic firings indicating the presence and execution of JavaScript. A critical finding points to a secondary embedded PDF with suspicious static findings, including JavaScript actions and streams. The ML classifier also flagged this PDF as malicious with high confidence. The embedded JavaScript and the secondary PDF are the primary indicators of malicious activity, likely serving to download and execute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9889

Heuristics 3

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
19d105ce645920f83174c87e1c3f529f4f5b97cb89ae18049b811e1804605b06		 pdf-javascript-stream PDF /JS object 1 at offset 0x1AA41 489 bytes
font_00_cff_off00003f4f.bin
8dcf8721c86416b0a4822b17396ef957e1d06f4b41f378e296b705ebdd7cd973		 pdf-font-stream PDF embedded font (cff) at offset 0x3F4F 10840 bytes
polyglot_child_pdf_off000025b8.pdf
8648dc2ec1ed348f6547642e73c5675827c7e7947d74f16b310a684ec4b8913e		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x25B8 2038344 bytes
polyglot_child_pdf_off000124e2.pdf
e390c4aeb8de64a0bcecfc54202fe325577512410a9de9b4788a0fb0ed1f706f		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x124E2 1973022 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.