MALICIOUS
86
Risk Score
🔏 Digital signature Signed
A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF exhibits multiple indicators of malicious intent, including embedded files and JavaScript actions. The presence of 'PDF_EMBEDDED_SCRIPT_PAYLOAD' and 'EXTRACTED_FILE_STATIC_TRIAGE' with a long encoded blob points to the delivery of a secondary payload. The embedded file 'embedded_file_obj0003.bin' is likely the payload. No specific family could be identified.
Machine Learning
- Nyx PDF Classifier malicious score 0.9195
Heuristics 7
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.umwelt-luzern.ch/gesuchsformular_holzenergie_ab70kw.pdf Referenced by PDF JavaScript
- http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/319_Heizkessel_QS.pdfReferenced by PDF JavaScript
- http://www.holzenergie.ch/fileadmin/user_resourcesqualitaetssiegel_lrv_opair/319_Heizkessel_QS.pdfReferenced by PDF JavaScript
- http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/319a_QS%2BMinergie_WohnraumHabitation.pdfReferenced by PDF JavaScript
- http://www.holzenergie.ch/fileadmin/user_resources/qualitaetssiegel_lrv_opair/Referenced by PDF JavaScript
- http://www.adobe.com/products/acrobat/readstep2.htmlReferenced by PDF JavaScript
- http://www.adobe.com/support/products/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://www.w3.org/2001/XMLSchema-instanceReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
- https://forms.lu.ch/soap/services/ENFAReferenced by PDF JavaScript
- https://forms.lu.ch/soap/services/ENFA?wsdlReferenced by PDF JavaScript
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://www.adobe.com/supporReferenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://ns.adobe.com/data-description/Referenced by PDF JavaScript
- http://schemas.xmlsoap.org/soap/envelope/Referenced by PDF JavaScript
- http://adobe.com/idp/servicesReferenced by PDF JavaScript
- http://www.w3.org/2001/XMLSchemaReferenced by PDF JavaScript
- http://ns.adobe.com/xfdf/In PDF document text
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0002.bin |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0x58 | 1856 bytes |
SHA-256: c8a41472743d3d9fa27bd273882940194d1d7c41fccefa703955b9d4d1bf1581 |
|||
embedded_file_obj0003.bin |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x3BD | 411001 bytes |
SHA-256: 7a924b420a6a8fe6be5ab7968e1910bffed53b9f6c60e05db642a907d9be4fc6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
1397 of 3149 identifiers look randomly generated (e.g. 'A000B000C000F001000110012001300140015001'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 4 long base64-like blob(s).
|
|||
embedded_file_obj0004.bin |
pdf-embedded-file | PDF EmbeddedFile object 4 at offset 0x1AA62 | 2920 bytes |
SHA-256: 0cc1acb568122b202bf53805b12af93620ac5985e50247b10a974e6e1d27ad41 |
|||
embedded_file_obj0007.bin |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x1ADDE | 640 bytes |
SHA-256: 2ac6dae4fac82721331c9e44dc903d0c773402198ff52d5b347d79af636e20f1 |
|||
embedded_file_obj0008.bin |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x1AF5F | 29525 bytes |
SHA-256: 708184c3756f474163a7dc27c006d265992f62c1eabef6b340d7c91a4b8aeac8 |
|||
embedded_file_obj0009.bin |
pdf-embedded-file | PDF EmbeddedFile object 9 at offset 0x1BA61 | 1535 bytes |
SHA-256: 642ebd21fa554fcf77fe3ed46ebeed5f4ee1777b99b4d17a848c825cbf9e4c0f |
|||
embedded_file_obj0010.bin |
pdf-embedded-file | PDF EmbeddedFile object 10 at offset 0x1BD24 | 80 bytes |
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19 |
|||
embedded_file_obj0056.bin |
pdf-embedded-file | PDF EmbeddedFile object 56 at offset 0x1D6BE | 162 bytes |
SHA-256: 6fa3678fdee168a7a81fb992dc3a271bddcc1ae903903c1d80edfc762841b917 |
|||
embedded_file_obj0057.bin |
pdf-embedded-file | PDF EmbeddedFile object 57 at offset 0x1D7B0 | 3190 bytes |
SHA-256: bd501d2978cc5fb162d9ddf036631cf7646265c33d9f96d9f43edefb556d179d |
|||
embedded_file_obj0058.bin |
pdf-embedded-file | PDF EmbeddedFile object 58 at offset 0x1DAC0 | 13903 bytes |
SHA-256: 50db296bdef43ae87dd8badb2b5ba77c68e84ca54fbae87cd389e5d7cd3cf3ff |
|||
stream_007_off0001ce3e.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CE3E | 1313 bytes |
SHA-256: f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf |
|||
stream_008_off0001d01d.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1D01D | 902 bytes |
SHA-256: 1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd |
|||
objstm_0060_00.bin |
pdf-objstm-decoded | PDF /ObjStm 60 0 obj (inflated) | 7043 bytes |
SHA-256: 4213c9e4343812c40120dd8ec0a9d1fe37d621b99c7135cedd524a0692e6ea40 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.