PDF static analysis report

Static analysis result for SHA-256 5d0caa330e166568…

SUSPICIOUS

PDF

15.4 KB Created: 2006-03-22 00:33:14 -06:00 Authoring application: Adobe Acrobat 7.05 (via Adobe Acrobat 7.05 Image Conversion Plug-in) First seen: 2017-11-13
MD5: 7083dc05e3fa862750057cdc5322f83a SHA-1: 885b2ac84405e29ed2e5fa3ef4ca0c5dbd0acf24 SHA-256: 5d0caa330e16656839ed153e8ca9c05c42f5ad7e54d2410eca1c29287a2b4b25
50 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that attempts to launch external URLs. Specifically, the script tries to launch 'pdf2.pdf' and 'index.html', and also attempts to launch the current document's base URL. The presence of the unknown URL 'http://trafficstatic.vacau.com' suggests a potential download or redirection to malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://trafficstatic.vacau.com In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js pdf-javascript-stream PDF /JS object 17 at offset 0x56E 84 bytes
SHA-256: d65b081884ee54d01aa1cff666df1b4420d527945db5cc975049644a144e123a
Preview script
First 1,000 lines of the extracted script
var earl = "pdf2.pdf";
app.launchURL(earl, true);
app.launchURL("index.html", true);
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x18A9 75 bytes
SHA-256: 663eacd41afd30506029d311b11774e53c320e055503a1d428ae07c1840636fe
Preview script
First 1,000 lines of the extracted script
var earl = this.baseURL + this.documentFileName;
app.launchURL(earl, true);