Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c52059a57760e6e…

MALICIOUS

PDF

48.0 KB
MD5: 472648fa5e877423db680ceddd27c538 SHA-1: c5d07d97bbccc6f84c9ac805eaca84cf5803d34e SHA-256: 5c52059a57760e6ee96e78b9449542e7e14d8f2877d45313d9e89decf06fe562
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains JavaScript that is flagged as an exploit cluster, specifically targeting XFA forms. This JavaScript is likely responsible for downloading and executing a second-stage payload from the embedded URL. The presence of embedded files further supports the payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.0277

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x9012 86 bytes
embedded_file_obj0002.bin
06fce78f2879c9edf1492c15fbff8c3121c17ff453ae49c628f00562599f6f93		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x90C5 1472 bytes
embedded_file_obj0003.bin
7fa044ffe67843aae00bcdb70ebbbb51aaaf5d233a2af7be1ab416d990c7859d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x9385 25552 bytes
embedded_file_obj0004.bin
7108ac5e7a02d988f13fea882a98d306ac44807391e3ac732defcecbb25a7de6		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x9E3B 1574 bytes
embedded_file_obj0005.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xA003 2928 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0xA370 200 bytes
embedded_file_obj0007.bin
38986021c2d8e32e5659b81c7b9582b356b5f5a98aa099bcd7a09b1f63696833		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0xA463 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xA63A 56 bytes
stream_002_off00000571.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x571 1532 bytes
stream_003_off0000075c.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x75C 870 bytes
objstm_0134_00.bin
837e2b0c5a86a8d5f224b4cdb9c99e042b32297173c6781156cd0566d6ebb8e9		 pdf-objstm-decoded PDF /ObjStm 134 0 obj (inflated) 19519 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.