Malicious PDF — malware analysis report

Static analysis result for SHA-256 387156f9aae1ca70…

MALICIOUS

PDF

137.3 KB Created: 2010-05-07 09:16:53 +02:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 8.1.0 (Windows))
MD5: b6add06a200944344fa2c332146b96b3 SHA-1: 2061b71ff449091e290075ed22841b374669a17f SHA-256: 387156f9aae1ca7003efe3a08eeb6c0761d54c694e5e6cefdf9a99eebcb3e37b
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains multiple embedded JavaScript streams and an embedded script payload, indicating a malicious intent to execute code. The ML classifier strongly flagged this PDF as malicious. The embedded scripts are likely responsible for downloading and executing a second-stage payload, which is a common technique for malware delivery. The presence of XFA form elements and JavaScript actions further supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9666

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0064.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 64 at offset 0x18CA8 85 bytes
embedded_file_obj0070.bin
3c1c0468c54fa4c2d79e388b1e9baf5e86c52c841725e5d1491bc949c4ced80c		 pdf-embedded-file PDF EmbeddedFile object 70 at offset 0x20AE0 103 bytes
javascript_obj0078_000.js
113b77aa019590df85e7813f26f280f49104af7888adf75b82a6eb867289c74e		 pdf-javascript-stream PDF /JS object 78 at offset 0x21CC0 447 bytes
javascript_obj0088_001.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 pdf-javascript-stream PDF /JS object 88 at offset 0x3CC2 1604 bytes
javascript_obj0089_002.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 89 at offset 0x3EAA 902 bytes
javascript_obj0090_003.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 90 at offset 0x4014 2798 bytes
embedded_pdf_script_000194e2.bin
4a0b21a5182bfa9276f70c13bc899a79e92e4cb668e28186385db77f511236ed		 pdf-embedded-script PDF raw stream script payload at offset 0x194E2 3037 bytes
icc_00_off0000e91a.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xE91A 3144 bytes
font_00_sfnt_off00010e75.bin
a7df6dca0e92656ec9943fa83f01ed0d895d5ef4c6734b33b43f0aadf5b694ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E75 6168 bytes
font_01_cff_off00011efa.bin
218005708f909e1e438773edef7ba070f4ca10ab72d9a7e485a9b7a5524d4326		 pdf-font-stream PDF embedded font (cff) at offset 0x11EFA 2326 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.