Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e02b3d41bd5b989…

MALICIOUS

PDF

56.1 KB
MD5: d8373d0c9a16e907776812b0428bdec6 SHA-1: da1d4769a037a7a2a18d70ab9341d44473524c11 SHA-256: 3e02b3d41bd5b9895c35ead20c21921ff158f3d3d28ed92c9b6f4d3643e71fb8
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript and an 'Additional-actions' dictionary, indicating an attempt to execute code upon opening. The ML classifier strongly suggests maliciousness. The document body and heuristics point to a phishing lure, likely disguised as a booking confirmation or offer, redirecting to a URL that ultimately leads to booking.com, possibly as a pretext for credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 6

  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 56 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/
    • https://ipfs.io/ipfs/QmSyYCjyTMyo1dM2dWBY6ExTmodmU1oSBWTdmEDTLrEenC#http://www.booking.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
ed4498c67228b31bbf82c8f56758f8eb008f07fdd0083b7b8c35241f374f9231		 pdf-javascript-stream PDF /JS object 5 at offset 0xCAD 67 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.