MALICIOUS
78
Risk Score
🔏 Digital signature Modified after signing
A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
This PDF document exhibits multiple indicators of malicious intent, including embedded JavaScript and embedded script payloads. The presence of a large JavaScript stream (stream_009_off000011d2.js) strongly suggests an attempt to execute malicious code. This script likely functions as a downloader for further stages of an attack. The XFA form and embedded file heuristics further support the suspicious nature of this document.
Machine Learning
- Nyx PDF Classifier clean score 0.0841
Heuristics 9
-
Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATIONAn incremental update appended AFTER the signed byte range introduces active content (/EmbeddedFile, /Catalog). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.services-publics.lu/assistants/public-defo?ECITIZ_ACTIVITY_PATH=Usager&ECITIZ_PROCESS_ID=MULT-DEFO&FORM_TYPE_ID=FNS_ALLOC_VIE Referenced by PDF JavaScript
- http://ocsp.verisign.com0Referenced by PDF JavaScript
- http://www.monotype.comMonotypeReferenced by PDF JavaScript
- http://www.adobe.com/go/reader_downloadIn PDF document text
- http://www.adobe.com/go/acrreaderIn PDF document text
- http://ns.adobe.com/xfdf/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
- http://www.adobe.com/go/acrIn PDF document text
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://get.adobe.com/readerReferenced by PDF JavaScript
- http://get.adobe.com/reader
cliquerReferenced by PDF JavaScript
- http://www.w3.org/2001/XMLSchema-instanceReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
- http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
- https://www.verisign.com/rpaReferenced by PDF JavaScript
- https://www.verisign.com/rpa01Referenced by PDF JavaScript
- http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
- https://www.verisign.com/rpa0Referenced by PDF JavaScript
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
- http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
- http://www.microsoft.com/typographyReferenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://logo.verisign.com/vslogo.gif0Referenced by PDF JavaScript
- http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DReferenced by PDF JavaScript
- http://csc3-2010-aia.verisign.com/CSC3-2010.cer0Referenced by PDF JavaScript
- https://www.verisign.com/cps0*Referenced by PDF JavaScript
- http://logo.verisign.com/vslogo.gif04Referenced by PDF JavaScript
- http://crl.verisign.com/pca3-g5.crl04Referenced by PDF JavaScript
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlMediumReferenced by PDF JavaScript
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0070.bin |
pdf-embedded-file | PDF EmbeddedFile object 70 at offset 0xA2C74 | 162 bytes |
SHA-256: b736ed5e26aec1a77dd9ed197103875011923f2e7b134c0b43bea7245f202ec5 |
|||
embedded_file_obj0071.bin |
pdf-embedded-file | PDF EmbeddedFile object 71 at offset 0xA2D65 | 1746 bytes |
SHA-256: c1f4096dfe919800dc98b5d19786ef35e69b9aadc71a36328d4f1fe0600fd32c |
|||
embedded_file_obj0072.bin |
pdf-embedded-file | PDF EmbeddedFile object 72 at offset 0xA2F96 | 815 bytes |
SHA-256: e41a16cabff133f6f20ff83fd730a7136e77ef3c6b4d91203863ef8dd4a04e8d |
|||
stream_002_off0000034e.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x34E | 1313 bytes |
SHA-256: f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf |
|||
stream_003_off0000052c.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x52C | 902 bytes |
SHA-256: 1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd |
|||
stream_008_off00000ea4.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEA4 | 1736 bytes |
SHA-256: 7602c79b27ed1645a44aa80cce296a19811c1bed09b13e5123157a22fa8884cb |
|||
stream_009_off000011d2.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x11D2 | 385812 bytes |
SHA-256: 26f729f03147efee3d6517c992addbfcef48f5548688e5ed16813db23a4f5e74 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
3749 of 6441 identifiers look randomly generated (e.g. 'Hx1vANRXXOh6fv6iyzj5Z0RbjDNbLBZXdWhXQQRz'); 57 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
stream_010_off00028237.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x28237 | 5615 bytes |
SHA-256: a60618651a6708bf5eec9c89fe03183d72a8d264ac385b759caefc2f214547d7 |
|||
stream_011_off000285e7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x285E7 | 121 bytes |
SHA-256: 90938f9e3cdf6db2eeee31ed7c949f3b0952b799b670df73d2e56d31bfcc8d34 |
|||
stream_012_off00028690.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x28690 | 595 bytes |
SHA-256: d51aa3f1df7738afd24e413efb0b91633081526d06c884fcf92556910c126c49 |
|||
stream_015_off00038e84.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x38E84 | 367087 bytes |
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa |
|||
stream_016_off0006b697.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6B697 | 352198 bytes |
SHA-256: 1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315 |
|||
objstm_0042_00.bin |
pdf-objstm-decoded | PDF /ObjStm 42 0 obj (inflated) | 592 bytes |
SHA-256: 86dc6fe48181d161100116d2c6b4363e25bd31bcd292e68e481616af9f83eaed |
|||
font_00_sfnt_off00028ba0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x28BA0 | 95975 bytes |
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949 |
|||
font_01_sfnt_off000a3d23.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA3D23 | 37844 bytes |
SHA-256: 43e31edb681debc6077d2e902e01d9766272bc3db6256da4200c4a4e3af08bac |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.