PDF malware analysis — malicious · 21435d850aa9b786

MALICIOUS

PDF

775.4 KB

MD5: cdc9bc7966c493d582090e3ee39473f0 SHA-1: 3ab86363994d00867a9d219eb024cae060a8e38b SHA-256: 21435d850aa9b786cea75f28e49c8f1a326244f7672e0c138adb3578384481af

338 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes `eval()` and `unescape()` functions, indicative of exploit code. Specifically, the heuristic 'CVE_2013_0640' directly matches raw PDF JavaScript at offset 0x44219, pointing to an exploit targeting Adobe Reader's XFA functionality. The embedded script is designed to download and execute a second-stage payload, as suggested by the 'EXTRACTED_FILE_STATIC_TRIAGE' heuristic and the presence of a large, encoded blob within the PDF.

Machine Learning

Nyx PDF Classifier malicious score 0.9882

Heuristics 11

Adobe Reader XFA oneOfChild exploit - CVE-2013-0640 critical CVE likely CVE_2013_0640

PDF contains the CVE-2013-0640 XFA trigger shape: JavaScript retains an XFA choiceList object, mutates keep.previous to contentArea, then reattaches the object through oneOfChild after a timer-driven heap setup.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.globalsign.com/repository/03
- http://crl.globalsign.net/root.crl0
- https://www.globalsign.com/repository/0
- http://crl.globalsign.com/gs/gscodesigng2.crl0P
- http://secure.globalsign.com/cacert/gscodesigng2.crt0
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/3.0/
- http://www.xfa.org/schema/xfa-template/2.8/
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.iec.ch

Extracted artifacts 11

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `b4fa7ce521bd2b17a927a5847a4f612ff5fd5b6811aa947704a39b2b1d9fe738`	pdf-javascript-stream	PDF /JS object 1 at offset 0xA	67070 bytes
`stream_000_off00047995.js` `1666ae55339dcc2f44f7e45ebefb0e0ee34e0475907a7914062ceec5ec71dfdf`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x47995	220128 bytes
`stream_007_off000a091f.bin` `9f4b921389d84c2386c314827c0cf23d38657143b672b25c2272a686592e28b8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xA091F	26032 bytes
`stream_009_off000a6a32.bin` `e7af8b64163d2ddf5c4484b5d516a25ce50c8c5e5a05ceed3ad88f847064485f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xA6A32	115564 bytes
`stream_011_off000bb785.bin` `a08016f90dd8c519685b605786b200c426c23d37a67066c3765f3fb2297f2791`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xBB785	19440 bytes
`embedded_pdf_script_0007692b.bin` `5341fb54b64fb9a91cf1fb85d6d69f11cc1ec9883d102dd3d0fc954dd29627b0`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x7692B	793983 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
`icc_00_off0009e081.icc` `eda03c8910c87b8a3e3c1ffbc35d223da8ae1d0dcfbad0c153c4eefbff436723`	pdf-icc-profile	PDF ICC profile at offset 0x9E081	1328 bytes
`icc_01_off0009e402.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x9E402	3144 bytes
`font_01_sfnt_off000a545d.bin` `1f390097b73c6f880d0a01cfac30158947769235e36be1b20ba9ccff0f45617c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA545D	6852 bytes
`font_04_sfnt_off000bf026.bin` `aa3c1a38b6b04ab479f1a5810b051c7c1c3955da06c93c9860fe6809b51e9b7c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBF026	660 bytes
`font_05_sfnt_off000bf5e7.bin` `af35c36e46ff282fb8a5a710097336976866ec0d30ae284073b92a4c22998540`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBF5E7	10844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.