Malicious PDF — malware analysis report

Static analysis result for SHA-256 552baa30e5f07fbc…

MALICIOUS

PDF

83.6 KB Created: 2006-10-03 13:54:05 -05:00 Authoring application: OmniForm Premium (via APJavaScript 2.2.1 Windows SPDF_1112 Oct 3 2005)
MD5: 2d3e3cf2d0994b9883f8e7e70a9b84f4 SHA-1: b54c134b9d6073ddae1803596ecd1e31541214e3 SHA-256: 552baa30e5f07fbc6a69730feb75952827b80a48b6983ff9342034ae0907a83f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The embedded script, 'stream_007_off00014467.js', is likely responsible for downloading and executing a secondary payload, which is a common technique for malware delivery. The presence of XFA forms and AcroForm buttons suggests an attempt to create an interactive document that could trick users into triggering the malicious script.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 6

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00014467.js
d1dfd457a2fdd3cec4091f689f39b85b35666aa5599ef3a8d5f9a80d1e2ce105		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14467 1042 bytes
font_00_sfnt_off000076cf.bin
70659657d9a573d51efd0a7c77aef729560741b3f2478ff203fa6159e6a6830d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76CF 65932 bytes
font_01_type1_off00014915.bin
c6bf78478c9c4dd5b3b86554d34c78f847f70af4118f9ff083c1fccf0e8e932b		 pdf-font-stream PDF embedded font (type1) at offset 0x14915 97 bytes
font_02_type1_off00014ba4.bin
b749644b3e758e7335900ab2e7499eaa64b3a946849f1f8a0948287bdd96763d		 pdf-font-stream PDF embedded font (type1) at offset 0x14BA4 144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.