Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cc14b8d68439d8b…

MALICIOUS

PDF

53.9 KB
MD5: bb915e17aa3d5bbe603b3b1e4531a5e8 SHA-1: a621d83e289f8c3d9b37471180e529f823d38eb5 SHA-256: 5cc14b8d68439d8b16fcc1f4b26c2892877b9d1d746c4939c78269f9743dcf4b
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript streams and is flagged as an exploit cluster targeting XFA forms. The JavaScript code, although obfuscated, is designed to execute arbitrary code, likely downloading a second-stage payload from the identified URL. The presence of XFA and JavaScript points to a common exploit delivery method for PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
6e031d90b0b2e0ba23e3455c65583fc9978384d9c9f19802ba5e25df670ec42b		 pdf-javascript-stream PDF /JS object 12 at offset 0xC3C3 4131 bytes
javascript_obj0012_001.js
08cfa4ccd4a9d6b478a13d7521a4776f36ec07e323b195957678ffc8f2621f10		 pdf-javascript-stream PDF /JS object 12 at offset 0xC3E5 5017 bytes
font_00_sfnt_off0000032f.bin
5d172cb4e65a1aa2abf0439afa2997f22a34d710560c6d4f86afa03139c3291c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49225 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.