PDF malware analysis — malicious · 32e052e7a7c0a497

MALICIOUS

PDF

49.0 KB Created: 2012-11-02 18:06:10 +03:00 Authoring application: Adobe Designer 7.0

MD5: dca34c790e1ec256c6a7c7cbaa4966f1 SHA-1: c036343ed5a126683941ab076286db4bc9139ceb SHA-256: 32e052e7a7c0a497fd3e39e4ad15e40cad02ce73b9343fd0cb5d4d20cc5e49ee

158 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains XFA form elements and an eval() call, indicating the presence of executable script. High-confidence heuristics like ML_NYX_PDF_MALICIOUS and PDF_XFA_SCRIPT confirm its malicious nature. The embedded script payload is likely designed to download and execute a second-stage payload, as suggested by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. While specific IOCs beyond benign URLs are not directly extracted, the presence of embedded files and scripts points towards a downloader or exploit delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.9970

Heuristics 9

XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT

PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0046.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 46 at offset 0x756D	85 bytes
`embedded_file_obj0047.bin` `f20aceb8dbc16d07642c756ca1ccc141a87f1f44f1a99949a4c6a6a8678b4c98`	pdf-embedded-file	PDF EmbeddedFile object 47 at offset 0x761F	1526 bytes
`embedded_file_obj0048.bin` `e2fb7e9ea37d12fafd513b9473e7ddef53917a6d32e59905abb6b630dd3b12e1`	pdf-embedded-file	PDF EmbeddedFile object 48 at offset 0x78EF	6265 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`embedded_file_obj0049.bin` `0b7fe2cbe79087012463f41fc1327af7a43b4981b1049b2448bcaa170e431454`	pdf-embedded-file	PDF EmbeddedFile object 49 at offset 0x853F	171 bytes
`embedded_file_obj0050.bin` `37cd6404a3d8d63a939da3420fad817b7ea2a487799f95ad2ced8d56fa5b8ca7`	pdf-embedded-file	PDF EmbeddedFile object 50 at offset 0x8608	6534 bytes
`embedded_file_obj0051.bin` `57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f`	pdf-embedded-file	PDF EmbeddedFile object 51 at offset 0x8AE5	212 bytes
`font_00_cff_off000012d0.bin` `23831e143e2e1a484b95ee765b15d94562c951468b895c080e655667dc04ddf0`	pdf-font-stream	PDF embedded font (cff) at offset 0x12D0	31178 bytes
`font_01_cff_off00008c4a.bin` `b59db72ce2f5ef10b3530ca6cac89f73c4061ad9bb7474f16e1d7c01a5a2a09f`	pdf-font-stream	PDF embedded font (cff) at offset 0x8C4A	4211 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.42, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.