Malicious PDF — malware analysis report

Static analysis result for SHA-256 4de6c1c1f3598dec…

MALICIOUS

PDF

89.2 KB
MD5: 98d1ff4af5cfc944c3c5ce94e4b1c2b2 SHA-1: e644e98a96ed4aa37283e556e1c69eb5c93706e6 SHA-256: 4de6c1c1f3598dec5183bc66b97fbbe7cdee9493eb12c11aec6841ff8398598d
286 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1059.001 Command and Scripting Interpreter: PowerShell T1059.007 Command and Scripting Interpreter: JavaScript/JScript

The sample is a PDF file that leverages embedded JavaScript and a Flash RichMedia exploit (CVE-2011-0611) to achieve code execution. The critical heuristic firings for PDF JavaScript exploit cluster and CVE-2011-0611 indicate a high likelihood of exploitation. The embedded JavaScript, particularly the reconstructed string from the `zz` function in `javascript_obj0029_000.js`, suggests the script is designed to download and execute a second-stage payload. The presence of multiple JavaScript streams and embedded files further supports this. The confidence is high due to the critical exploit indicators, but not absolute as the exact second-stage payload could not be determined.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 11

  • Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.1/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
5.swf
797559d3f1e4f62f7d7ec5a729b60c863e13118d22afb32eab08faf38dc7c87f		 pdf-embedded-file PDF EmbeddedFile object 50 at offset 0x40C5 2809 bytes
javascript_obj0029_000.js
9dd7553388150ccced5cef7572438c76fb0f1cca59625c563aaa569a0907eefb		 pdf-javascript-stream PDF /JS object 29 at offset 0x14146 19788 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
javascript_obj0039_001.js
79a847f48c29830c80cf0408c7505d8bd07472b58ec4ea49698a533638d7bb04		 pdf-javascript-stream PDF /JS object 39 at offset 0x1E9B 5637 bytes
javascript_obj0056_002.js
2b0cb364300292a88607c7b04076629077f1b58bbf9fa93686a58f4ad62ef40b		 pdf-javascript-stream PDF /JS object 56 at offset 0x32FA 1417 bytes
stream_004_off0000088f.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x88F 434 bytes
generic_stage_recovery_000.js
2521081fc23abb636ffeff62c87c6bd1db2ae89ec419b8ba0862bc9fb257c242		 deobfuscated-js generic stage recovery marker-MM-to-%u from JavaScript object 29 at offset 0x14146 19609 bytes
generic_stage_recovery_001.js
59a92aa861d0506755480142ae1f8c8ad2b0ece8045e978ba383f97b3ba7dc3b		 deobfuscated-js generic stage recovery marker-MM-to-%u from JavaScript object 29 at offset 0x14146 13130 bytes
generic_stage_recovery_002.js
114a5b077cdec0da4f0492cb47e551d6092a094399fd0f8214a03324ae4affb6		 deobfuscated-js generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x14146 26665 bytes
generic_stage_recovery_003.js
1c1fd256d04ec3b7fcd62a5fa622c8095a4c8fa6d73258a825303043c57ed8a5		 deobfuscated-js generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x14146 20186 bytes
generic_stage_recovery_004.js
3ba64244b2b6b1c2ba5157dfb16ed66f8a46e9ce2b85a9f88be01dd28efd6412		 deobfuscated-js generic stage recovery marker-AAAAA-to-%u from decompressed stream at 0xE51 at offset 0xE51 7789 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_005.js
93522b2cf19db13aac26cb30efbe725e7f50d0c0d9c72950e2ec10073b744432		 deobfuscated-js generic stage recovery marker-AA-to-%u from decompressed stream at 0xE51 at offset 0xE51 7821 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_006.js
1e712ebe5edbaf8371bb08490c13f27a196e6404ba3ec69298268f127b801643		 deobfuscated-js generic stage recovery marker-ffffffff-to-%u from decompressed stream at 0xE51 at offset 0xE51 2275 bytes
generic_stage_recovery_007.js
7a3e84e74468af182cc56d301a08b43c96c51fd1f0e434ed57bb0a0ec05510cf		 deobfuscated-js generic stage recovery marker-AAAAA-to-%u from decompressed stream at 0x1663 at offset 0x1663 7808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_008.js
bb59b77437da40e7978965835b243176e71f6438bc83b2f308fc9e10fd1e5c70		 deobfuscated-js generic stage recovery marker-AA-to-%u from decompressed stream at 0x1663 at offset 0x1663 7821 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_009.js
d8c7f7c5a63c46f47c03f294d2589adf9fad88074c4d9526c56da11f52d1ea24		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-MM-to-%u from JavaScript object 29 at offset 0x14146 19516 bytes
generic_stage_recovery_010.js
c082c9288f26fc4b586be59fe29ce198606bd9f7ba7ae4c9fafeed190b7deac2		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-MM-to-%u from JavaScript object 29 at offset 0x14146 13082 bytes
generic_stage_recovery_011.js
b1578b761e26b84b6fb86a7f2a1cab56cd87cf339152a1763600b77e4f7d829c		 deobfuscated-js generic stage recovery marker-MM-to-%u -> split-literal-normalize from JavaScript object 29 at offset 0x14146 19516 bytes
font_00_sfnt_off00000e51.bin
9520d1e3c26c38a7d8e0587578a21196782149e3c5f4b565229deafde3ff3a35		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE51 8429 bytes
font_01_sfnt_off00001663.bin
18f2d21f655a09be0df9f6bfb4b539e43160f5a64a3e1b2dd7a4c8a5a185a5d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1663 8429 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.