Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c4d6b059dfe8379…

MALICIOUS

PDF

1.03 MB
MD5: d1d77f293757934fd8b96188f6edfc76 SHA-1: 4c3a19fe33be3bc2597c0fd24d43e0bc31510223 SHA-256: 5c4d6b059dfe8379224fce82036946bee33e3f4c956c22f165729f652c0df924
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF containing multiple JavaScript streams, with several heuristics indicating JavaScript exploitation and obfuscation. One stream, stream_010_off00005f4d.js, is flagged as part of an exploit cluster involving eval() calls. This suggests the script is designed to execute malicious code, likely downloading a secondary payload, which is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.0017

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ded.missouri.gov
    • http://www.dnr.missouri.gov
    • http://www.mdfb.org
    • http://www.mhdc.com
    • http://www.dhss.missouri.gov
    • http://www.dor.mo.gov/tax/taxcredit
    • http://www.dor.mo.gov/tax
    • http://www.mda.mo.gov
    • http://www.dss.mo.gov/dbf/taxcredit/index.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00005560.js
397d6d93509729635feadda45f42ca06d8eee196605e12f33727fb40f1e0bf34		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5560 1733 bytes
stream_010_off00005f4d.js
90938c24c12786726edac836c851be790bdf7dafb4ba39ce49d699b370fbc6a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5F4D 2603 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_023_off00009a5b.js
581f96ec2439a629d74b72fd7c4d79f4206a32c4201b16200963e926de6537c9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9A5B 1335 bytes
stream_024_off00009e05.js
5d15eb90420722f085af111c6ed741abe9edad934bf21ba7abb56565b819592a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9E05 6185 bytes
stream_027_off0000b16f.js
bd2a9d944551986148e039b9b0a48c4e2ffead07147f443a674c4f6cac45ce7a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB16F 3571 bytes
stream_033_off0000ec26.js
be886aa50ffd41d0f9f4bb94f73da4b20c91f2b1824b291d0c032bc89cd32d41		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEC26 2854 bytes
stream_035_off0000f503.js
0ef5fc61610dd937a75f12093b45d7e0400f4af4d4de04fa55635a958deb799a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF503 9578 bytes
stream_036_off000102e1.js
fd4206c0f8abd34382910d01440d530a49a308bebc9255abfab3a8c7f0ef0948		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x102E1 55526 bytes
stream_095_off000522d9.js
c62452289174129ae9f1884517087d88190df9441697ca1554048d3085a4ac49		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x522D9 3995 bytes
stream_096_off000525d7.js
e7709df0953c5b6d8034f200cd906a0667a63e3a914613ea1b36426643643b3f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x525D7 493 bytes
objstm_5166_00.bin
f99e2027f4548c8869ef18a9bd688609c81662489b0b5e3d34eb2cd9ba95c547		 pdf-objstm-decoded PDF /ObjStm 5166 0 obj (inflated) 23221 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
objstm_5167_00.bin
0ba505c8b58d91e2f3d71c12d84ecc17beb4d925eee05821d8f28611df60d185		 pdf-objstm-decoded PDF /ObjStm 5167 0 obj (inflated) 20991 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
objstm_5168_00.bin
07906573af42019893100e8ad93b49e6558fecbde529052ff1771bad092d8ef0		 pdf-objstm-decoded PDF /ObjStm 5168 0 obj (inflated) 1215 bytes
objstm_5169_00.bin
35d5249bd9164c4f02c1ac11aa0883648836651b7f95a912809a49fb286a224e		 pdf-objstm-decoded PDF /ObjStm 5169 0 obj (inflated) 5521 bytes
font_00_cff_off00023c5f.bin
a04f6dce4f42a1ee29a202744df41c1d0e3e799890553355fab878b9cc66d1ca		 pdf-font-stream PDF embedded font (cff) at offset 0x23C5F 520 bytes
font_01_cff_off00023ed4.bin
2e2e85ed48fd099e74ccc5b552853aed08c098abff4832ec52e45135cc8ccd68		 pdf-font-stream PDF embedded font (cff) at offset 0x23ED4 3656 bytes
font_02_cff_off00024bb2.bin
ecc8d45be14cfd57e124d8bfe079bd5ea104ed5f9380215de609beca94b67717		 pdf-font-stream PDF embedded font (cff) at offset 0x24BB2 3465 bytes
font_03_cff_off00025776.bin
72ed3ac0254744a63361a9df6fe404e2532947389187c6f750fbadf4669118d3		 pdf-font-stream PDF embedded font (cff) at offset 0x25776 5938 bytes
font_04_cff_off00026b94.bin
f7578711c6050b11dd76327cd64be76ff7933e010ae5ca31bf92a1916508d226		 pdf-font-stream PDF embedded font (cff) at offset 0x26B94 5491 bytes
font_05_cff_off0006155f.bin
67d1e421bd0c7a3f898ab5b931c68d47f5e43b177bc17f32a5a7c1f354ecf867		 pdf-font-stream PDF embedded font (cff) at offset 0x6155F 5595 bytes
font_06_cff_off0006281d.bin
f385cd77927c46e6e61f0fb4e94c4013c1f397535ac26c60259ea3bd37ec29fb		 pdf-font-stream PDF embedded font (cff) at offset 0x6281D 5226 bytes
font_07_cff_off000639a4.bin
cf1c70e46837e195cee642320c5a84c9a8b6c5f47641567ab9bc7e734ddb97e3		 pdf-font-stream PDF embedded font (cff) at offset 0x639A4 4831 bytes
font_08_cff_off000662a3.bin
3a67aa154d48a68f91d3e3f8bfbd74984577bb33ae2884297c85c86bdbca5ff4		 pdf-font-stream PDF embedded font (cff) at offset 0x662A3 5722 bytes
font_09_cff_off000675f5.bin
fe7091e6722f7c526624265598c1d05035b0aa86b57a36280ab2ed80163fb1d4		 pdf-font-stream PDF embedded font (cff) at offset 0x675F5 5290 bytes
font_10_cff_off000a05d8.bin
20832658a7e78786bbd255458fc72f68446153e8ac7dc2de650fabe3203f6da8		 pdf-font-stream PDF embedded font (cff) at offset 0xA05D8 1272 bytes
font_11_cff_off000a5a6d.bin
e82807c88fa2f82a999af743d15c7b092ae7298f046fef4cb77318d8174b7935		 pdf-font-stream PDF embedded font (cff) at offset 0xA5A6D 1785 bytes
font_12_cff_off000bdd48.bin
e9d8c99cd8e86c97296b34aca921bb89cada95e7fdc670e57e91fbe1f4d5fc95		 pdf-font-stream PDF embedded font (cff) at offset 0xBDD48 5575 bytes
font_13_cff_off000bf03b.bin
44b6c4a20c9f4158ecf8d631136faf00b2036773912b2adedd851dbde8372530		 pdf-font-stream PDF embedded font (cff) at offset 0xBF03B 5594 bytes
font_14_cff_off000c034a.bin
bc832621532810b0de266ddbce3f0c75dc71a262b3fee590031a2c9a213bec0b		 pdf-font-stream PDF embedded font (cff) at offset 0xC034A 5718 bytes
font_15_cff_off000c1687.bin
71a0b47a9760069ed1d891a202f7907382b50649d09282ca2c2555e65a0a5a76		 pdf-font-stream PDF embedded font (cff) at offset 0xC1687 6194 bytes
font_16_cff_off000d397d.bin
8bf13b68a963aa01c6c0c8d0d27058616b3d6ce2128eb5a8351519b8adfbdecf		 pdf-font-stream PDF embedded font (cff) at offset 0xD397D 2290 bytes
font_17_cff_off000d5bb8.bin
8478167736eb2846bb7daa01020dbff1b345e9e205d422727490bb85e89621f9		 pdf-font-stream PDF embedded font (cff) at offset 0xD5BB8 5697 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.