Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f4e2889f13d2f4d…

MALICIOUS

PDF

466.4 KB Created: 2011-03-10 11:57:40 UTC Authoring application: TeleForm 10.2 (10232) with Electric Paper PDF Plus² Forms 3.1.226 (2.0.49.490)
MD5: 63bd4848a267cc53d5e2c12567797e2b SHA-1: 01c55e81e02db175d3377b5a62d7dcccd02badb3 SHA-256: 5f4e2889f13d2f4dc467811f316ee1286e33116e5776d5bac5e1f84b4fca6267
226 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains multiple JavaScript streams, some of which utilize obfuscation techniques like eval() and unescape(). The ML classifier also flagged this PDF as malicious. The presence of JavaScript and exploit-related heuristics suggests the document is designed to execute malicious code, likely to download and run a secondary payload. The URL http://www.dynaforms.com is the only non-benign external resource found.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9490

Heuristics 10

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dynaforms.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.adobe.com/products/acrobat/readstep2.html

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj2006_000.js
baf9cbdea88593024b2b12c6777d51479cc38ef798b18600d3b6600f23d6851d		 pdf-javascript-stream PDF /JS object 2006 at offset 0x1583 101 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2007_001.js
cac5feb65c9482ab3e5302e13d6842c8f757febaee3fac1b635bb67784a471a4		 pdf-javascript-stream PDF /JS object 2007 at offset 0x161B 73 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2009_003.js
c3cdcd4ff9a9030c24420179fc3118b240d6fc5eb693baad7641d6930a15d136		 pdf-javascript-stream PDF /JS object 2009 at offset 0x16CD 61 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2010_004.js
ac94d45b250614b38d40305a0f6e6ccda9a2da0516c64f21de434f5bf6481696		 pdf-javascript-stream PDF /JS object 2010 at offset 0x1739 59 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2134_017.js
d36cdebd55ae13c49b5ddce8febff58eb3ffd43fe884eff6a4d5de9832137154		 pdf-javascript-stream PDF /JS object 2134 at offset 0xAE9C 34 bytes
javascript_obj2146_019.js
f9c454b9bf739f4a88e918fd78866ce97b37e5366c1fdd3a5048f229291cd076		 pdf-javascript-stream PDF /JS object 2146 at offset 0xB366 35 bytes
javascript_obj2147_020.js
4640479262a6e2bd6ef3a88b206cc9cbf4c6c577c88c681b94727dc90bd731ce		 pdf-javascript-stream PDF /JS object 2147 at offset 0xB3B8 35 bytes
javascript_obj2148_021.js
7fddf0133384bb49a5b87cb2cdaa1928f440524537f2188a3c363dcd65ea3f7a		 pdf-javascript-stream PDF /JS object 2148 at offset 0xB40A 87 bytes
javascript_obj2154_023.js
f85c9446eb564dbf2c73c1a72a7b4291bce0fe2827dda99d4488cf8aea485b4a		 pdf-javascript-stream PDF /JS object 2154 at offset 0xB67B 47 bytes
javascript_obj2156_024.js
28c7527ef881c2c84481beeeaca17173fcd897524c3866ed55ab406830103318		 pdf-javascript-stream PDF /JS object 2156 at offset 0xB7AC 35 bytes
javascript_obj2157_025.js
e526352f0273ed717a7acf68db06e27d683c941ec71e60621ca23e848aeded9a		 pdf-javascript-stream PDF /JS object 2157 at offset 0xB7FE 35 bytes
javascript_obj2159_026.js
843139fbe58f4020f9ca4daca070075b3da932a4eab39fc9e81ce391cf353712		 pdf-javascript-stream PDF /JS object 2159 at offset 0xB884 41 bytes
javascript_obj2232_029.js
b3697a78a6ec9537bbf15c3c4ba7b6bab3a1f3a81a970c22118c06e44b782b61		 pdf-javascript-stream PDF /JS object 2232 at offset 0xE6EC 62 bytes
javascript_obj2234_031.js
fdef0db562beac911d6b4341f88d793116d5e6fccb75a5e11e13571d1f11e5f9		 pdf-javascript-stream PDF /JS object 2234 at offset 0xE7AB 33 bytes
javascript_obj2242_033.js
ecedc3038ddcd3dd129633e6ae47f741b628726f27063b62be76e5dec72579a3		 pdf-javascript-stream PDF /JS object 2242 at offset 0xEBBC 49 bytes
javascript_obj0029_037.js
750c026a4f478475d31f95723584520d2ad084bc594cd6cbd8d743c10095fd2d		 pdf-javascript-stream PDF /JS object 29 at offset 0x180B4 42 bytes
javascript_obj0289_040.js
fb6a65b45260877fb99a8a32e752407efc4c67e36d6a13d6471e972c78f9b299		 pdf-javascript-stream PDF /JS object 289 at offset 0x22E2D 47 bytes
javascript_obj1625_044.js
858c12ca857900aaebec8d105192b9e5c43d8b5a823d35e52eb3af4527391adc		 pdf-javascript-stream PDF /JS object 1625 at offset 0x578EA 34 bytes
javascript_obj1997_045.js
1a10e4d7e8cf7666cbb1c3ba0a282101592fa9f308d957ec541818e0892b0e84		 pdf-javascript-stream PDF /JS object 1997 at offset 0x688A2 6441 bytes
javascript_obj2019_046.js
4742e1c1fe85d5dc947b9d638a723cf61507e38e70ab6b1fb7b2fb32d6b71a7b		 pdf-javascript-stream PDF /JS object 2019 at offset 0x2B3B 5937 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj2021_047.js
3f5a767f9bef30d1052725d76be6cb561ee9aed995c65cfe0bf9703b107cc376		 pdf-javascript-stream PDF /JS object 2021 at offset 0x33BA 1791 bytes
javascript_obj2023_048.js
6973253da093bc525926a71769c424f86da4235fce6749eb371963c7e54e4600		 pdf-javascript-stream PDF /JS object 2023 at offset 0x373C 20324 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 31 eval/decoder/string-building token(s).
javascript_obj2025_049.js
258cce54449cfbf6889e4d9fa4d8835758c66198fd1476b54174a6fc5faa8022		 pdf-javascript-stream PDF /JS object 2025 at offset 0x47E4 22718 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 34 eval/decoder/string-building token(s).
javascript_obj2027_050.js
f1a2798053b078aeef7c6daecb27312316237b57f8ed10042a3a6bb22bdb1388		 pdf-javascript-stream PDF /JS object 2027 at offset 0x5DD2 21793 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
javascript_obj2029_051.js
e183cfdb18a135a3d733332d0b48c29206c6522e9e044e47308b24076b63fbb4		 pdf-javascript-stream PDF /JS object 2029 at offset 0x7079 805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.