Malicious PDF — malware analysis report

Static analysis result for SHA-256 347ca67f6a3e2da6…

MALICIOUS

PDF

22.9 KB Authoring application: Aspose Ltd. (via Aspose.PDF for .NET 20.8) First seen: 2021-05-26
MD5: de5264d15ccc20f86bd2c0fea5877cf9 SHA-1: 81f6fecf6ad330db4cf8d7a74bac710b067d216f SHA-256: 347ca67f6a3e2da66d5529542d95631d2666c772cf24595f3e5100396f45a551
158 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is identified as malicious by ClamAV, specifically detecting Win.Exploit.CVE_2018_4990-6599478-0, indicating exploitation of CVE-2018-4990. Heuristics confirm the presence of embedded JavaScript and an AcroForm button with an action trigger, commonly used to initiate exploits. The ML classifier also flagged the PDF as malicious with high confidence. The embedded JavaScript is likely responsible for executing the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8806

Heuristics 7

  • Malformed JPEG2000/JP2 box structure high CVE related PDF_JP2_BOX_ANOMALY
    PDF embeds JPEG2000/JP2 data with malformed box sizes. This is a parser-exploit indicator for JPX/JPEG2000 CVE families, not a unique CVE fingerprint.
  • JPXDecode + active content — JPEG2000 CVE-family indicator info CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • ClamAV: Win.Exploit.CVE_2018_4990-6599478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2018_4990-6599478-0
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00004572.bin pdf-font-stream PDF embedded font (cff) at offset 0x4572 1578 bytes
SHA-256: 3ad89875e6fb7800b92b2a7d51b20b4698616ec3f17bd584488b4745cd64e011

Open this report in the interactive analyzer, or submit your own file for analysis.