PDF malware analysis — malicious · 446e5ca60b7f4073

MALICIOUS

PDF

383.7 KB Created: åfëqªÁCñ¿åðä>Æ£.)y¦ Authoring application: &^³ê¢}£6deqG0Ll^âJto°gð9 (via &^³ê¢}]mvN'{GüZ2(.É2 b¹)

MD5: b8d3fc1f18d70437e17b89e3c1fc4599 SHA-1: f152538b3a85deeb7386ee12450d5749c5a77e0f SHA-256: 446e5ca60b7f4073ff14ebc11777eed0411cedd70ba7e74f649fd636199f77b3

320 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF file exhibits multiple critical indicators of malicious activity, including an embedded PE executable payload and JavaScript. The PDF is encrypted, hiding its true content, but the presence of JavaScript and an embedded executable strongly suggests it's a delivery mechanism for further malware. The ClamAV detection of 'Js.Exploit.Shellcode-18' on both the PDF and the extracted artifact confirms its malicious nature. The embedded JavaScript is likely responsible for exploiting vulnerabilities within the PDF reader to execute the payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9975

Heuristics 11

Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
ClamAV: Js.Exploit.Shellcode-18 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.Shellcode-18
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://id.korea.com/ca.php?target=http%3A%2F%2Fmail%2Ekorea%2Ecom%2F
- http://mail.korea.com/
- http://mbox05.korea.com/mail/mailList.crd
- http://mbox05.korea.com/mail/attachFileLayer.crd
- http://mbox05.korea.com/mail/toMailWrite.crd
- http://mbox05.korea.com/main.crd?count=2
- http://mbox05.korea.com/mail/mailView.crd
- http://id.korea.com/ca.php?target=http://mail.korea.com/
- http://mail.korea.com/&mode=&returl=&hisurl=&user=iyh421&password=iyh1019&x=27&y=25GET

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0031_000.js` `ea9d50b8e06ecbb36a24aa8c8037569245fbbb7eeab44c77a821569d8e469460`	pdf-javascript-stream	PDF /JS object 31 at offset 0x69E	98 bytes
`embedded_pdf_00015f00.exe` `529cd8174eb543ed57fb5ed229f22d568d67cb42c430774965f454c0308560bc`	embedded-pe	PDF raw stream PE payload at offset 0x15F00	297509 bytes
`generic_stage_recovery_000.js` `59caf114214bab89ec04afcc09d00cd58f291fa2cf3ac69afbdc957e0ddf5bc3`	deobfuscated-js	generic stage recovery null-collapse from raw PDF metadata at offset 0x0	262144 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 long base64-like blob(s).
`generic_stage_recovery_001.js` `ae407c39fa763db7fb7acd2fea7f594957de40cf3d27d1996d7d58c80bb9a217`	deobfuscated-js	generic stage recovery percent-decode from raw PDF metadata at offset 0x0	262144 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`generic_stage_recovery_002.js` `742cbdaeddffd0c1be5278beb9035ecf03747fc5ff994f6da97448043f0c0e12`	deobfuscated-js	generic stage recovery null-collapse from decompressed stream at 0x0 at offset 0x0	262144 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 long base64-like blob(s).
`generic_stage_recovery_003.js` `0413add7cc562f42b78f53d78b3e0b3d821e12ce9f2e84fa771a73d7db9792d6`	deobfuscated-js	generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0	262144 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`generic_stage_recovery_004.js` `6cf9710cc7dbc8cf2d0d1b116b5518cc8b8fd494ebb27b745cbd8894a4cbe916`	deobfuscated-js	generic stage recovery null-collapse -> percent-decode from raw PDF metadata at offset 0x0	261606 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 long base64-like blob(s).
`generic_stage_recovery_005.js` `3d96558219e4e4eec2b82c4cc779eceb94ee0b0b4f1f4993a6fcb9307bce9c84`	deobfuscated-js	generic stage recovery percent-decode -> null-collapse from raw PDF metadata at offset 0x0	215115 bytes
`generic_stage_recovery_006.js` `17e65e91d0b09e6423a620616587a8074f16a40a4f4302e4d5ef1a9ee5f1c57b`	deobfuscated-js	generic stage recovery null-collapse -> percent-decode from decompressed stream at 0x0 at offset 0x0	261606 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 long base64-like blob(s).
`generic_stage_recovery_007.js` `93da503eca3bf18039043279a003a32d04359ad8d33557dc501f6da787c614b7`	deobfuscated-js	generic stage recovery percent-decode -> null-collapse from decompressed stream at 0x0 at offset 0x0	215114 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.