Malicious PDF — malware analysis report

Static analysis result for SHA-256 605504868203558d…

MALICIOUS

PDF

15.1 KB
MD5: 83364863218c5a4e45f0fcc9d37dc834 SHA-1: 6f3055ba0005fae4b52e628dc2589f3221b44360 SHA-256: 605504868203558dea64b5f0b137074c66c113d3f86430be507183ad0de7f6e2
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_JS_EXPLOIT_CLUSTER and PDF_EVAL firings suggest the JavaScript is malicious and likely attempts to exploit vulnerabilities. The document body mimics financial news to deceive the user, while the embedded script is designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0635

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00003086.js
f0c7c0bee6afc38340155373f845e52b012a08bb4d6d123416366ff96772d999		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3086 18272 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 23 long base64-like blob(s).
objstm_0053_00.bin
c805b1e482a060d6df265929b3bbe082794f732d1c058041e17627b3e75b4e11		 pdf-objstm-decoded PDF /ObjStm 53 0 obj (inflated) 1708 bytes
objstm_0071_00.bin
21ee084426e774d05c660102108e57b2df9475e9452fc24758c5acd47d31132a		 pdf-objstm-decoded PDF /ObjStm 71 0 obj (inflated) 32 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.