PDF malware analysis — malicious · 53cc0984bccce1e8

MALICIOUS

PDF

7.14 MB First seen: 2021-07-13

MD5: 6b179134e7f6e4e41a63e317ce12b573 SHA-1: fc3cfde594cc39f592c0095de9a560800344b615 SHA-256: 53cc0984bccce1e843a7a21d565e6be4306e9d581cd689ca1c2c972225565697

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1204.002 Malicious File

The PDF contains JavaScript that, upon opening, attempts to launch an embedded Office document named 'remittance_0621.doc'. The document body and heuristics indicate a lure to 'Enable Editing', a common tactic for macro-enabled malware. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 7

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER

PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`remittance_0621.doc`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x5E8	2496678 bytes
SHA-256: `9d96a4622ed6937c95c306536cd4bf9d11230d29ee8738a85c2cee423023b69c`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 24 long base64-like blob(s).
`javascript_obj0009_000.js`	pdf-javascript-stream	PDF /JS object 9 at offset 0x724E58	68 bytes
SHA-256: `f7e83cb5348f77b77400687a24c0ea15e3c813e8454041437a85b01966aa9fde`
Preview script First 1,000 lines of the extracted script this.exportDataObject({ cName: "remittance 0621.doc", nLaunch: 2 });
`javascript_obj0009_001.js`	pdf-javascript-stream	PDF /JS object 9 at offset 0x724E58	66 bytes
SHA-256: `ccd0df00361c387c228cfa0b863dc8a557bb7adfe2e29e67fe9cc31a0ac22cec`
Preview script First 1,000 lines of the extracted script this.exportDataObject({ cName: "remittance 0621.doc", nLaunch: 2 }
`combined_document_js_000.js`	deobfuscated-js	combined document JavaScript streams at offset 0x724E58	135 bytes
SHA-256: `bd06180d7c4bb0602d3135bfb05590ff496dcdfb34f4ed1c5d9b2c72ef58fd91`
Preview script First 1,000 lines of the extracted script this.exportDataObject({ cName: "remittance 0621.doc", nLaunch: 2 }); this.exportDataObject({ cName: "remittance 0621.doc", nLaunch: 2 }

Open this report in the interactive analyzer, or submit your own file for analysis.