Malicious PDF — malware analysis report

Static analysis result for SHA-256 457cb1722118fcac…

MALICIOUS

PDF

60.9 KB Created: 2010-08-16 13:28:08 UTC Authoring application: pdfFactory www.context-gmbh.de (via pdfFactory 2.21 (Windows XP German))
MD5: db79ad206a4c814e7b8924bcdcd4f3d3 SHA-1: 46f097b1e927d8063795be4e28e39deb6590ad2a SHA-256: 457cb1722118fcacafc43f203f2cbd6de5b1d8aa0e0e75f5cf01d55530ff122b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains multiple embedded JavaScript streams, with one particularly large stream (javascript_obj0013_005.js) suggesting complex malicious functionality. The presence of PDF_JPX_CVE_2018_4990_RELATED heuristic indicates an attempt to exploit a known JPEG2000 vulnerability. The JavaScript actions and embedded streams are likely designed to download and execute a secondary payload, contributing to the overall malicious intent of the document.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4946

Heuristics 5

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0069_000.js
cf3ef38cead83f4b1b39c7a061c8fef2c62d068861252a2b5ba7c0b959eec058		 pdf-javascript-stream PDF /JS object 69 at offset 0xD14A 39 bytes
javascript_obj0070_001.js
a22e7a3e6dbfb6427839e3a2fdcab1be9d58bdd666536d5308358ec98c59feed		 pdf-javascript-stream PDF /JS object 70 at offset 0xD19A 42 bytes
javascript_obj0100_002.js
3328eab8501405fcffcc95bb30fbb8bcb963b88928e4a40bd4be3a45d3e80107		 pdf-javascript-stream PDF /JS object 100 at offset 0xDECA 39 bytes
javascript_obj0101_003.js
1829f93c988f1bfcd4bf6a74fc06fa5705171ae9bf3ac877b13813c6b492c742		 pdf-javascript-stream PDF /JS object 101 at offset 0xDF1B 42 bytes
javascript_obj0102_004.js
fe4e53074838f6abfbd472249e5e7aec56f4efbd3181dd9980dcac5cc4248e3e		 pdf-javascript-stream PDF /JS object 102 at offset 0xDF6F 37 bytes
javascript_obj0013_005.js
c3b4b5dbf495225a951f486fd196dcd03d890330a4c80742db27bf4f9b241ace		 pdf-javascript-stream PDF /JS object 13 at offset 0x34B3 7416 bytes
javascript_obj0071_006.js
0299572f2295cd709b8efbf410a6cfcd8555d49290733748c6238eece99e8503		 pdf-javascript-stream PDF /JS object 71 at offset 0xD1ED 421 bytes
javascript_obj0075_007.js
d77323f4373000ff95ada4aadfb95a61eeb33a8d3bfe37a55543a6d451b40ab8		 pdf-javascript-stream PDF /JS object 75 at offset 0xD3A2 421 bytes
javascript_obj0079_008.js
3dedd2b50d3fdaca64b1a719133aa058d944c3cd3a5f2dc985a688f8c31ca9df		 pdf-javascript-stream PDF /JS object 79 at offset 0xD557 421 bytes
javascript_obj0083_009.js
e66676e0de05b4b8aa5abc13da8f42607f40d29f6b54d52094e5da982d3c1b5f		 pdf-javascript-stream PDF /JS object 83 at offset 0xD70C 421 bytes
javascript_obj0087_010.js
09315a2a0d81cf1c7c35420810d40fd650d474f3a2b0ac0374e1e0468757b9c8		 pdf-javascript-stream PDF /JS object 87 at offset 0xD8C1 422 bytes
javascript_obj0091_011.js
6105de78b0641a5193918e98131d38c1d98583686db43d4a4fcc6df579f0d560		 pdf-javascript-stream PDF /JS object 91 at offset 0xDA77 422 bytes
javascript_obj0095_012.js
97476515facd3eaa6a0072bdc40d283765fca17af94baf25aab71a4c77f2d81c		 pdf-javascript-stream PDF /JS object 95 at offset 0xDC2D 423 bytes
javascript_obj0099_013.js
92fa10efcf997ca00f4358457dd1f5d20f6c6def3a83ddbe3fca3abcc2dc1515		 pdf-javascript-stream PDF /JS object 99 at offset 0xDDE3 423 bytes
javascript_obj0106_014.js
0f333934034a2885daa1406064428206ec3884e078d52f4fa4a7bcbb38299de3		 pdf-javascript-stream PDF /JS object 106 at offset 0xE128 274 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.