PDF malware analysis — malicious · 4459499d12fca88a

MALICIOUS

PDF

10.7 KB Created: 2010-12-20 14:38:44 -05:00 Authoring application: Adobe LiveCycle Designer 8.0

MD5: c3bda4c78232936b9bd327f5b33dc091 SHA-1: 87f8a60b4025a1e0e46ba9671a309cb183e7a6c9 SHA-256: 4459499d12fca88acc9bb2037e0c7d6b56052cf7717d9515664f2ccba1e81c57

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, identified by PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly indicates maliciousness. The embedded scripts are the primary mechanism for attack, likely downloading and executing further malicious content. While the specific JavaScript content is obfuscated, the presence of embedded scripts and the ML score point to a malicious downloader pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9983

Heuristics 6

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0xD1A	85 bytes
`embedded_file_obj0002.bin` `210f059da2e2d3892c26332e5ceed1ed3f3ee4d01f40b3ddec74d2160a2b121d`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0xDCC	3925 bytes
`embedded_file_obj0003.bin` `a993770fd797397c69b6b9db29771a3f0259844678eae55ace2aba3787497c85`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x11A5	1635 bytes
`embedded_file_obj0004.bin` `7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x14EA	214 bytes
`embedded_file_obj0005.bin` `2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x15E4	2423 bytes
`embedded_file_obj0006.bin` `702e44c0bd2fae153f63c8fe2576587336137bb48774414e90d1715e1caab3ff`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x18C5	166 bytes
`javascript_obj0026_000.js` `04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917`	pdf-javascript-stream	PDF /JS object 26 at offset 0x5EA	1535 bytes
`javascript_obj0027_001.js` `4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb`	pdf-javascript-stream	PDF /JS object 27 at offset 0x7D5	870 bytes
`javascript_obj0028_002.js` `922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc`	pdf-javascript-stream	PDF /JS object 28 at offset 0x92F	2798 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.