Malicious PDF — malware analysis report

Static analysis result for SHA-256 51744de09bb4770a…

MALICIOUS

PDF

1.95 MB Created: 21-08'00' Authoring application: ev (via ada)
MD5: 07ed2671c66ea2ab028f7da747c28154 SHA-1: 587dcdf16c2e07760bdcae3bea1cacd3d36310ef SHA-256: 51744de09bb4770a5f5d50a1d89fc8905a02f4ec0b033b1cbf45a839b9aa07da
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The ML classifier strongly flags this as malicious. The embedded script payload, 'embedded_pdf_script_001a00e2.bin', is likely responsible for downloading and executing a second-stage payload from the unknown-reputation URLs associated with 'ads.fulldls.com'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ads.fulldls.com/phpadsnew/www/delivery/fl.js
    • http://ads.fulldls.com/phpadsnew/www/images/1x1.gif
    • http://ads.fulldls.com/phpadsnew/www/images/98d7ce389d96f23f4c410937e101cd5c.swf
    • http://ads.fulldls.com/phpadsnew/www/delivery/lg.php?bannerid=1723&amp;campaignid=238&amp;zoneid=100&amp;loc=http%3A%2F%2Fwww.kat.ph%2Fsearch%2Fadilia%2520horse%2F&amp;cb=61cbf59524
    • http://www.bbc.co.uk/go/rss/int/news/-/news/business-16005502ku.oc.cbb.www
    • http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/9654080.stmku.oc.cbb.swen
    • http://www.bbc.co.uk/go/rss/int/news/-/news/world-us-canada-15997347ku.oc.cbb.www
    • http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
    • http://www.w3.org/1999/xhtml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
7a7c6ae31bf27957e5dbbe2f8ec4f6e4e304b22d0b633e6fdb94b36f19b2c260		 pdf-javascript-stream PDF /JS object 76 at offset 0x6D6 52713 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_pdf_script_001a00e2.bin
bfde39873660cba05dfddb072abbd2d8eb3c06295758ec078e53ccd4175f254c		 pdf-embedded-script PDF decompressed stream script payload at offset 0x1A00E2 2047982 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.