PDF static analysis report

Static analysis result for SHA-256 56e78045aa7b6bae…

SUSPICIOUS

PDF

19.7 KB Created: 2012-02-09 12:05:02 +01:00 Authoring application: GPL Ghostscript 8.70 First seen: 2026-05-09
MD5: c797c01565812be4be37d50de1deb439 SHA-1: 6e5fec0c90f2f8f80dca504cba6ae5b6644711f4 SHA-256: 56e78045aa7b6bae576f8e8bf834cbd2836ef5e9526dcdc088b0c654a1d6c8ad
50 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, flagged by heuristics as potentially malicious. The ML classifier also strongly indicates maliciousness. While the document body contains German text related to direct debit and pricing, the presence of JavaScript suggests an attempt to execute malicious code. The specific intent of the JavaScript is unclear due to its small size and lack of clear obfuscation patterns, but it is likely intended to download and execute a second-stage payload or perform other malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/iX/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js pdf-javascript-stream PDF /JS object 29 at offset 0x4C26 41 bytes
SHA-256: 6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(2, 2, 0, 0, "", true);
javascript_obj0030_001.js pdf-javascript-stream PDF /JS object 30 at offset 0x4C80 38 bytes
SHA-256: dd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(2, 2, 0, 0, "", true);
icc_00_off0000076f.icc pdf-icc-profile PDF ICC profile at offset 0x76F 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off00001b67.bin pdf-font-stream PDF embedded font (cff) at offset 0x1B67 5520 bytes
SHA-256: af7b0a2e9a10832e74217262a85a234562c66e5dd2e2e62610e6c32990464209
font_01_cff_off00002f4a.bin pdf-font-stream PDF embedded font (cff) at offset 0x2F4A 2934 bytes
SHA-256: 3d44a04ffae1f01da956cfb6e32eb164036905e67818df7d5ea72227e873e85d