Malicious PDF — malware analysis report

Static analysis result for SHA-256 48d7e83cf92f3c3c…

MALICIOUS

PDF

596.9 KB Created: 2009-03-11 23:15:15 +04:00 Authoring application: LaTeX with hyperref package (via dvips + Distiller)
MD5: 1cf64d87c157737d5d33dcb36ca6e650 SHA-1: a114c9c8fd7f4ef34bec60acfdda7266d7ff8ae7 SHA-256: 48d7e83cf92f3c3c3edd4ce5a3ceb8c63adbaea0388cb1edeeafa61a8fd3d59b
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF contains multiple embedded JavaScript streams, with high-confidence heuristics indicating the use of eval() and String.fromCharCode for obfuscation. The ML classifier strongly suggests malicious intent. The embedded JavaScript is likely designed to download and execute a second-stage payload from the external URL http://www.ugr.uaeu.ac.ae/math/basic_math_1.shtml, which is flagged as suspicious. The presence of JavaScript actions and AcroForm buttons further supports the exploitation of PDF features for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9714

Heuristics 8

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ugr.uaeu.ac.ae/math/basic_math_1.shtml

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
fb66e84eb1ee32b675a17f6ef9179e998bc50c5442c35cc2b0bcbc9a501a58a2		 pdf-javascript-stream PDF /JS object 14 at offset 0x4BF 163 bytes
javascript_obj0015_001.js
d5f99861ea3eb20825e5a5472d6abbbb3ffe3bd257ff35a2a87eb477cbe6d42b		 pdf-javascript-stream PDF /JS object 15 at offset 0x5A5 2420 bytes
javascript_obj0015_002.js
25090737cd6621ef38859a216e0bd5ee7ff2b9cd746961f47d93861f0cc47f19		 pdf-javascript-stream PDF /JS object 15 at offset 0x5A5 239 bytes
javascript_obj0016_003.js
03b635aa84fd9a6339f0f411c55e312d7f2d57f17ca97bda78a98474fe7a6db6		 pdf-javascript-stream PDF /JS object 16 at offset 0x1005 13031 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s).
javascript_obj0016_004.js
f531222f36bde7e3702f4676fcfb8df0304f583b3a6dd8589a8c6553a8d55972		 pdf-javascript-stream PDF /JS object 16 at offset 0x1005 47 bytes
javascript_obj0017_005.js
7d4fcfb64149c9ceee2c4dc297744fcc5c79797702614f73ffe2bf507c21df2d		 pdf-javascript-stream PDF /JS object 17 at offset 0x4850 2470 bytes
javascript_obj0018_007.js
c1f91ce797cee38545079cb0664f9d0560c633701a6ef3a701af98a884de7169		 pdf-javascript-stream PDF /JS object 18 at offset 0x52EE 11975 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0019_009.js
d1d02691af96ff490ef0acd12ec2fc89bd17a9b22498b7ff0cd1c2dabfdfebc5		 pdf-javascript-stream PDF /JS object 19 at offset 0x85C5 2018 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0019_010.js
072a23733de37e0bd77f1678aff5a307fdd8e64fecffcc0e88f645e2da3da4d0		 pdf-javascript-stream PDF /JS object 19 at offset 0x85C5 81 bytes
javascript_obj0020_011.js
bebeb8011fe3c326046026c4f619ef8c619533e9c49043e74d4ee07830e1ad66		 pdf-javascript-stream PDF /JS object 20 at offset 0x8E68 2554 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0020_012.js
fa562bd65a6760194901727d09a59bbbee66e5103d64da03231924d40b86ed59		 pdf-javascript-stream PDF /JS object 20 at offset 0x8E68 45 bytes
javascript_obj0021_013.js
07613261b8d43646cbe69db0e72df82e42fd1f49602eefa944c80c31975e4ef9		 pdf-javascript-stream PDF /JS object 21 at offset 0x9989 1055 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
javascript_obj0021_014.js
f8fbc068303dfbb938e728f72740d0f912412a87cab49f909f5db09c0a6393d7		 pdf-javascript-stream PDF /JS object 21 at offset 0x9989 51 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0022_015.js
9df68f95f19f4249d083e367f14452bf6dbee07e7e7892750bf8ecc0d3b2569c		 pdf-javascript-stream PDF /JS object 22 at offset 0x9E2D 112 bytes
javascript_obj0023_016.js
b4418934cb96d9dc733cd23c4c5c5ea768580e53eb49611e5cd671342961efb8		 pdf-javascript-stream PDF /JS object 23 at offset 0x9EDA 1796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
javascript_obj0023_017.js
9c8e131e39b271c45fec5e60193978a6a47db104b9a1d3cd0699664c65db2959		 pdf-javascript-stream PDF /JS object 23 at offset 0x9EDA 36 bytes
javascript_obj0077_018.js
2b8b6fa91ab3113d12738a23965cb3775b9d87af02d9d7fd4a04afcf917f6103		 pdf-javascript-stream PDF /JS object 77 at offset 0xE63E 128 bytes
javascript_obj0078_019.js
fc543aa4b177b6a842725bf2b05280a35d9f834bfa690f29834058bf7c0c6f62		 pdf-javascript-stream PDF /JS object 78 at offset 0xE7D9 112 bytes
javascript_obj0080_020.js
a4edcd11241ee9a89f0cb0fc8b3d6419cfce8baf2b2575843cf084e240736f77		 pdf-javascript-stream PDF /JS object 80 at offset 0xEA44 112 bytes
javascript_obj0081_021.js
8e9cd40cf0afec8babddc7e25bf691ef7269b120e3ce6128690026a775b36159		 pdf-javascript-stream PDF /JS object 81 at offset 0xEBBE 38 bytes
javascript_obj0082_022.js
7ca54c6f5a375728e21b2592cd050e29b1730001205fb54fd8c8fff28e795c9c		 pdf-javascript-stream PDF /JS object 82 at offset 0xED0E 112 bytes
javascript_obj0084_023.js
1c7a8174110dfaa4669c9774704ba6dc6f787122d9c3f823ebf92c1da16b44c8		 pdf-javascript-stream PDF /JS object 84 at offset 0xEF7D 112 bytes
javascript_obj0086_024.js
941aa96f4fcfce81d17ae8b623d6f0ee08d1928c3fc9acbc2684b50c61efc8e1		 pdf-javascript-stream PDF /JS object 86 at offset 0xF1EC 112 bytes
javascript_obj0088_025.js
b53be63151b43638bad53ecf24c66a467144319b62a940df8df19932d1fa80c3		 pdf-javascript-stream PDF /JS object 88 at offset 0xF457 112 bytes
javascript_obj0090_026.js
9198e3219411e86d38c9db411fa8af611becdda50f78cfe6135ee166e72705aa		 pdf-javascript-stream PDF /JS object 90 at offset 0xF6C6 112 bytes
javascript_obj0092_027.js
721ae1c58ae2187c7c79724088ddbcf64a998ebfe5ed0c87d0e6e76e493853c6		 pdf-javascript-stream PDF /JS object 92 at offset 0xF935 112 bytes
javascript_obj0093_028.js
bb64bd964a6d5eba5ab3c3e8e3d68dd5aaa45a5da99e0a27c1ff367af94a7542		 pdf-javascript-stream PDF /JS object 93 at offset 0xFAAF 38 bytes
javascript_obj0094_029.js
37ac0f4aac785b1427e45eb7bd819bd4e1ac9010ab85e518e91b3e87ba6c2583		 pdf-javascript-stream PDF /JS object 94 at offset 0xFBFF 112 bytes
javascript_obj0095_030.js
e396b785f14d25c7b2f3dd10d29a90544699f73a751f7f702e6c28f5b48afef0		 pdf-javascript-stream PDF /JS object 95 at offset 0xFD77 38 bytes
javascript_obj0096_031.js
b6e833f2b72fdd226b4d56504f21b378066eb8eabffedce6fd0368c3122ecf77		 pdf-javascript-stream PDF /JS object 96 at offset 0xFEC5 112 bytes
javascript_obj0098_032.js
9b657de042c7610e3962c0f16a0ba772d176c8d4aa355d031c347c337d1bc9fa		 pdf-javascript-stream PDF /JS object 98 at offset 0x10134 112 bytes
javascript_obj0100_033.js
40a7c6657d2de7e5ef01e74ab181c90be3ce081dc4a92db0f61e7e920ef84639		 pdf-javascript-stream PDF /JS object 100 at offset 0x103A3 112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.