Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a4726f61941b673…

MALICIOUS

PDF

3.6 KB First seen: 2017-03-15
MD5: a3ee90337f5517fa051d756a0ca0d5e7 SHA-1: 81ea8cf7e04c189b90406b70a72d8e366231a15b SHA-256: 4a4726f61941b67360bb1f8c67e547694a6e20bdca1bca7586dcb80e9beae728
116 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1559 Component Object Model Hijacking

The PDF contains embedded JavaScript and an embedded file named 'PO38229287.doc'. The ML classifier strongly indicates maliciousness. The embedded file and JavaScript suggest an attempt to deliver a secondary payload, likely an OLE object, to the user.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
PO38229287.doc pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3B6 8345 bytes
SHA-256: 1c69cdc2f7329284120166eb00e6b3256439a9483512c3c1691bcf2a29ac3d01
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0xCAA 63 bytes
SHA-256: 2e197fa1ce6df63607dd177a39e03313710e005608ed3dd33abe0f4a2ef48ae7
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "PO38229287.doc", nLaunch: 2 });
javascript_obj0009_001.js pdf-javascript-stream PDF /JS object 9 at offset 0xCAA 61 bytes
SHA-256: 68ba048f26b38f756fe9aaa8d75d19f96623b764735d4fedcc0ce07b3323856c
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "PO38229287.doc", nLaunch: 2 }
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0xCAA 125 bytes
SHA-256: 3d48c2b651f7af9669a8255e73e6c432eea7f4faa5664b013e476822b4c3df92
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "PO38229287.doc", nLaunch: 2 });
this.exportDataObject({ cName: "PO38229287.doc", nLaunch: 2 }

Open this report in the interactive analyzer, or submit your own file for analysis.