Malicious PDF — malware analysis report

Static analysis result for SHA-256 5aa47aa1f17d7413…

MALICIOUS

PDF

99.4 KB Created: 2005-01-28 08:58:53 +01:00 Authoring application: Adobe Illustrator(R) 8.0 (via Adobe PDF Library 5.0)
MD5: 97c28e4635fdaa495258db79812ab13b SHA-1: 518b15ed414f33548f5b7a8484acf23fc58f94ae SHA-256: 5aa47aa1f17d7413165e973a88fa0ba09278d34db5f787a1f006f9d8389021c6
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains multiple embedded JavaScript streams, which are flagged by heuristics as an exploit cluster. The JavaScript is obfuscated and likely designed to execute arbitrary code, potentially downloading further malicious content. The presence of JavaScript actions and exploit-related heuristics strongly suggests this PDF is a malicious document intended to exploit vulnerabilities for client execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5445

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0073_000.js
99db10c8cdc5577e5eb0859e0e521b252c5a2f0f7ba60dacd54eff92acabf8eb		 pdf-javascript-stream PDF /JS object 73 at offset 0x24F6 2984 bytes
javascript_obj0074_001.js
a05e9ef61f1d614748ce1cacd2e72c31a7c9a3a874531099d730545673feeba6		 pdf-javascript-stream PDF /JS object 74 at offset 0x262A 2079 bytes
javascript_obj0075_002.js
9d1645fef471163426f2178924ce9338e159b5612407dda27fc8139e63e40fb4		 pdf-javascript-stream PDF /JS object 75 at offset 0x2919 6740 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0076_003.js
5c4f00c69a59aff02a35f97de664d0603e5d4b449c72889d2a4d27c57bc88c39		 pdf-javascript-stream PDF /JS object 76 at offset 0x30D7 15928 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
javascript_obj0077_004.js
26ca0c06013da4577a675c2e788a7b01643ea33d235af17fe822fe5d98559f8b		 pdf-javascript-stream PDF /JS object 77 at offset 0x421C 13505 bytes
javascript_obj0078_005.js
5e5d7bb32b96d444601e0a0156c1dcc68a0655dbe30a6e12f3eba2344a8c884e		 pdf-javascript-stream PDF /JS object 78 at offset 0x4957 5970 bytes
javascript_obj0079_006.js
54c5f9e1eb38a601cd5d54886da574f56fa753743aa1d72ee6daa22b3c30bb11		 pdf-javascript-stream PDF /JS object 79 at offset 0x4F8B 6615 bytes
javascript_obj0080_007.js
d550cd9a1c20316750d0833a59c64d34dff8fa11b4dd1981f17e1c7dbcccd608		 pdf-javascript-stream PDF /JS object 80 at offset 0x5625 5078 bytes
javascript_obj0081_008.js
c81781e069c478026463bd399d01d20f6bd40e603b9d8c303fd8ba85f2407f68		 pdf-javascript-stream PDF /JS object 81 at offset 0x5CA9 16697 bytes
javascript_obj0082_009.js
9c200c85e5e2fd5706f6f0058531517f80ed3f1501decaf2a47cc3ce7d1f11b6		 pdf-javascript-stream PDF /JS object 82 at offset 0x6BB7 1077 bytes
javascript_obj0083_010.js
c77183bd8accd7d989d1f1b0321ace604c99d056dcd04359567237b5d034cc66		 pdf-javascript-stream PDF /JS object 83 at offset 0x6D73 2511 bytes
javascript_obj0084_011.js
e2bf54728d0a99f59983ddbfbea08c3e63ace8177e43dfd0744059d41669f423		 pdf-javascript-stream PDF /JS object 84 at offset 0x7138 4436 bytes
javascript_obj0085_012.js
6486d8e7bdd85daeb1149849986e6f0d9a21317557d894d853fda355b859a596		 pdf-javascript-stream PDF /JS object 85 at offset 0x7816 9809 bytes
javascript_obj0086_013.js
f2e83c4bcae264587e6ff71d984fcf34a1fc02cbaccb4c4a5f030a060cf0ba0c		 pdf-javascript-stream PDF /JS object 86 at offset 0x835A 1012 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
font_00_cff_off0000c09a.bin
a71412d1640a3ea803bd8797ed1fec615d6540574392f9e498290984f6c1dda1		 pdf-font-stream PDF embedded font (cff) at offset 0xC09A 6300 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_01_cff_off0000db95.bin
64f358cba53f01533db892f920293a87cc59a4c46404d33bad32acbaa45df461		 pdf-font-stream PDF embedded font (cff) at offset 0xDB95 2921 bytes
font_02_cff_off00010d53.bin
b4cbb5d30691e5990fe8409f43e0a87591f8c0ab96b7fd2475778c1c15d512c1		 pdf-font-stream PDF embedded font (cff) at offset 0x10D53 753 bytes
font_03_cff_off000158dd.bin
0b317363f72e8eaa3c5261bcec06de94493475d6a06f095505ce568a19c7e8df		 pdf-font-stream PDF embedded font (cff) at offset 0x158DD 548 bytes
font_04_cff_off00015c4b.bin
7960e93bff494b7e95631aa800b1868c14ce1e160eaa24e01288468d0413bad8		 pdf-font-stream PDF embedded font (cff) at offset 0x15C4B 177 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.