Malicious PDF — malware analysis report

Static analysis result for SHA-256 56f414b4835b7890…

MALICIOUS

PDF

1.95 MB Created: 2012-09-01 19:12:05 -04:00 Authoring application: ReportLab PDF Library - www.reportlab.com
MD5: 1f91e0afb881631e621eeb6bdee765bb SHA-1: b89b33817d2730a490c6d46cc223c8264adec443 SHA-256: 56f414b4835b78909b4a05e0cb120d4d21470482858aeda0fa1716c6016dcc26
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File

The PDF file contains an embedded JavaScript payload within a decompressed stream, flagged by heuristics as a suspicious artifact and a potential exploit. The ML classifier strongly indicates maliciousness. The JavaScript is likely responsible for downloading and executing a second-stage payload, contributing to the overall malicious nature of the document. The presence of XFA forms is also noted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9842

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.reportlab.com

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000782.bin
7b1391776835541c556835aca98f54db2c9a8cc87a3cb3bf8c44f859ebd1e7ff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x782 313 bytes
stream_001_off000008a1.js
1a746f27c633686d578cf1f5626e720efd5abdccea734a13ef8e21b629f9e120		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8A1 5167 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
stream_002_off00001204.bin
9749f853cf9ebd4f5ddf798b29e945a0e596c9301d4a7fe23dd3c8ad79b9b51c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1204 131 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.