MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1204.002 Malicious File: User Execution: Malicious Attachment
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The PDF file contains embedded JavaScript that is likely responsible for downloading and executing a second-stage payload. The heuristics indicate a generic exploit stage recovery and a suspicious secondary embedded PDF, suggesting a multi-stage attack. The extracted JavaScript files, 'generic_stage_recovery_000.js' and 'generic_stage_recovery_001.js', are the primary indicators of malicious activity.
Machine Learning
- Nyx PDF Classifier clean score 0.0691
Heuristics 4
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.adrift.org.uk/
- http://www.inform-fiction.org/
- http://www.namazu.org/
- http://www.djvuzone.org/
- http://cgi.adobe.com/special/acrobat/mediaplayerfinder/mediaplayerfinder.cgi
- http://www.geocities.com/nevilo/mod.htm
- http://www.lua.org/
- http://www.libpng.org/pub/mng/spec/
- http://hdf.ncsa.uiuc.edu/
- http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html
- http://www.macromedia.com/software/flash/open/
- http://cgi.adobe.com/special/acrobat/mediaplayerfinder/mediaplayerfinder.cgi?�6�-
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
generic_stage_recovery_000.js08591dcd08ca9e76c4af86cdd3c672bcf7725bd9be7849b2b8edbb76e0240c0d |
deobfuscated-js | generic stage recovery null-collapse from decompressed stream at 0x0 at offset 0x0 | 198683 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 long base64-like blob(s).
|
|||
generic_stage_recovery_001.js57ad2f9ac39be8619cfe8ab854d6e7ae8627dca28e06892d469ee829398d45f6 |
deobfuscated-js | generic stage recovery null-collapse from decompressed stream at 0x53C5 at offset 0x53C5 | 1158 bytes |
polyglot_child_pdf_off0000ab65.pdfe9a53d74cc1e50740181e8864c4fd61d5d7cd56778eeaf5288783ce3c6814a39 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0xAB65 | 258053 bytes |
polyglot_child_pdf_off000499c8.pdfe3ade5af26d4697e70bed5be08f1c666184a14aadad6f9c5fa5c96e2c0235ff4 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x499C8 | 418 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.