PDF malware analysis — malicious · 5f93a056721aa3d2

MALICIOUS

PDF

143.0 KB

MD5: 6f558ee17a5cf48a21cc088acbe8f4ef SHA-1: 5bb60f4c9847d21979f4a1e51fd55de205779575 SHA-256: 5f93a056721aa3d2af855534a5f87931d0e000e0a2f2c8246b9efbe88802dfa8

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains JavaScript that is flagged as an exploit. This JavaScript is likely responsible for downloading and executing a secondary payload, as indicated by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics. The presence of embedded files further supports the theory of a multi-stage attack. The specific exploit and payload are not fully discernible from the provided evidence, leading to an 'unknown family' classification.

Machine Learning

Nyx PDF Classifier clean score 0.0207

Heuristics 8

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ocsp.verisign.com0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xfa/promoted-desc/
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.xfa.org/schema/xfa-template/2.8/
- http://www.xfa.org/schema/xfa-locale-set/2.6/
- http://ns.adobe.com/xfdf/
- http://www.xfa.org/schema/xfa-form/2.8/
- http://cgi.adobe.com/special/acrobat/update
- http://crl.verisign.com/tss-ca.crl0
- http://crl.verisign.com/ThawteTimestampingCA.crl0
- https://www.verisign.com/rpa
- http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
- https://www.verisign.com/rpa0
- http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `bca11f45dec9a0b78db00f591689c9a2c1451f5916075275870ba56e74fe6c27`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x1F61D	163 bytes
`embedded_file_obj0002.bin` `f58005d521c4f52662f4ebde969ea759f403f6f10a502f621abd91bc3f7365e0`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0x1F70D	1678 bytes
`embedded_file_obj0003.bin` `1ad802ec881efb9c2a6037db9b68f6c27a1344327df56ae76041da14d4f969bf`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x1FA24	50263 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`embedded_file_obj0004.bin` `bfff1586053f8005ff03b85b76471914c8ed164445b816ae476d50b551f1e7c8`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x219A0	2860 bytes
`embedded_file_obj0005.bin` `55aba32b75c834cf60f6fdc6f08ff7cef02b198141ec7ddbae95cc92dd77d87d`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x21CF6	642 bytes
`embedded_file_obj0006.bin` `796387548f51426d8ebcc4001c5456e153f122c66bae5c3833bc3e9d2ddc04d2`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x21DF0	1535 bytes
`embedded_file_obj0007.bin` `2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x220B2	80 bytes
`embedded_file_obj0008.bin` `4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x2215B	56 bytes
`stream_002_off0000044f.js` `f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x44F	1313 bytes
`stream_003_off0000062e.js` `1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x62E	902 bytes
`objstm_0158_00.bin` `035ef35c93953fe01813a424aa9470ebb9b719e904cb35b9e970f80c944e6453`	pdf-objstm-decoded	PDF /ObjStm 158 0 obj (inflated)	17597 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 long base64-like blob(s).
`font_00_sfnt_off00000d8d.bin` `1626e6329f65d0d35cdf751ec668ac4b8800d726707d01e7810bb8297d789dee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8D	94351 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.