Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d8a484cd1523e3a…

MALICIOUS

PDF

44.5 KB
MD5: 60baf86dc1a2a95031ec98b87904b368 SHA-1: 2b4feaeb05a5393166cc44792ceb4b3d7661e886 SHA-256: 5d8a484cd1523e3a9103487b0bc0e78eec94e83e92f38f4b62fccf679bc8c8ee
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and triggers heuristics related to PDF JavaScript exploits, including XFA forms. The JavaScript code appears to be obfuscated but is designed to execute a string, likely a URL, which is then passed to a function that would download and execute a payload. The presence of the 'ML_NYX_PDF_MALICIOUS' heuristic with a high score further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
7996fb0fe6f14a3f447e411ba9affb661188e2c132740b46f677dbc8b1098db7		 pdf-javascript-stream PDF /JS object 7 at offset 0x86B 978 bytes
font_00_sfnt_off000010d5.bin
044efaa0fcddad6a1afc97a6bd112675dff8d542f6a622fb73e7eb17d43d90f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D5 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.