Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ad5f3fc591c5fd7…

MALICIOUS

PDF

57.1 KB
MD5: 9f786d156d0ab292cd7f80b640ac707d SHA-1: 2fef33fa6e8d632996f365016db7aac03d1a2980 SHA-256: 5ad5f3fc591c5fd77469a1aaa3096a900ab19f9820e93d02073c77cce10909d0
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and triggers heuristics related to JavaScript exploits and XFA forms. The embedded JavaScript is likely responsible for downloading and executing a secondary payload from one of the identified unknown-reputation URLs. The presence of these elements strongly suggests an exploit targeting PDF vulnerabilities for initial execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.1382

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lluxsapp194/dev%5Fek025/wwwdev/DexiaPlusLU%5FQuote/bil/form/transferPdf.aspx?serviceName=Reception%20Contactez%20Moi
    • http://dexia-bil.com/suivi_eer
    • https://secure.dexia-bil.lu/form/getFormBack.aspx?serviceName=Reception%20Devenir%20Client&amp;lang=de
    • http://ns.adobe.com/xfdf/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://ns.adobe.com/data-description/
    • http://www.xfa.org/schema/xfa-connection-set/2.4/
    • http://www.xfa.org/schema/xfa-connection-set/2.8/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000123.js
a8105e062db48d1e5ac85de5f9bb9e213e30ffcbba47d5002f4c74f90e262f33		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x123 2163 bytes
stream_002_off0000049c.js
cd1f4f394d377b480e48ae4dbe0c8b97ad436b82f5df5eacf25c65391fa67cc1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49C 204070 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
stream_003_off00004bfa.bin
eef7a9ffc52531135ba552349bb89c4c0d477c2466414704a18382b8fcf31624		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BFA 5620 bytes
stream_004_off0000506b.bin
5f9e1efc0475212c57ac50dd610c52c8e54f8ff0b5cf8560bdd4d6e02d921da9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x506B 1753 bytes
stream_005_off000052f6.bin
1b807bfdd2fad535c2c9d2cf1056de81d170ff9a2eab3fcc474785661dc9a4f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52F6 311 bytes
stream_006_off000053f6.bin
595c2385102a094ef120d7b4629ab63ab95ea080f8c56878ec8fff98fb199cb0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x53F6 28201 bytes
stream_010_off00007fb2.js
f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7FB2 1313 bytes
stream_011_off00008191.js
1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8191 902 bytes
stream_016_off0000e0f7.bin
82e89b3624b54e51f6676e1d0bb51bfc05eea7f305c3345a4eb696eadb7af2e5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE0F7 1219 bytes
objstm_0012_00.bin
4e3c16364aaddab2cd125a056b900eddc31b3c29559612fff2ee9737c9cd04ef		 pdf-objstm-decoded PDF /ObjStm 12 0 obj (inflated) 8709 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.