Malicious PDF — malware analysis report

Static analysis result for SHA-256 60ae93d632fd100c…

MALICIOUS

PDF

815.3 KB First seen: 2021-11-02
MD5: 1fd6bf86510934b151c1baab591f2f95 SHA-1: eedfdc4fc944bf418e7fdc0bf6ef60a8fe0b1a51 SHA-256: 60ae93d632fd100c85253fc27b3044dec1ca1a8bc7fc36ce6caa4a4215ec0483
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that utilizes eval() and String.fromCharCode(), indicating obfuscated code execution. This JavaScript is likely responsible for downloading and executing a secondary payload from the identified external URI. The presence of these JavaScript execution techniques strongly suggests a malicious intent, such as a downloader or dropper.

Machine Learning

  • Nyx PDF Classifier clean score 0.0069

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('r q(8,7,f,9){8=b.p(8*b.k(h,7))/b.k(h,7);g=8+"";2=g.o(".");6(!2[0])2[0]="0";6(!2[1])2[1]="";6(2[1].4<7){a=2[1];e(i=2[1].4+1;i<=7;i++){a+="0"}2[1]=a;6(2[1].4>0){2[1]=f+2[1]}}6(9!=""&&2[0].4>3){5=2[0];2[0]="";e(j=3;j<5.4;j+ …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://www.fscs.org.ukPDF link annotation

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00000859.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x859 788 bytes
SHA-256: e18eb7f17ce98a8e0891018432f5a16ecbab416f3cabc965bb3ef9cf0c305372
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_004_off00000a91.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA91 1928 bytes
SHA-256: acda5fee154de073a2ceab58c5e545c42bb75ce0522cf172edfbe927de58a933
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_105_off0008e1b4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8E1B4 367087 bytes
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa
objstm_0441_00.bin pdf-objstm-decoded PDF /ObjStm 441 0 obj (inflated) 2565 bytes
SHA-256: e3064a57e0e58736cc3063a1de68ee4fab27bae025ac95e633148e2ff57cd225
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
objstm_0156_00.bin pdf-objstm-decoded PDF /ObjStm 156 0 obj (inflated) 8570 bytes
SHA-256: 839bd2580834a2f2bb23c786d20c7ba93cec0490e548a146feb5b5e3eca1c75d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
font_00_cff_off00001f82.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F82 7347 bytes
SHA-256: 19ae1ea3d524141b8c675376bf4512fdd17a5f9dc3c6760f81ff252ba00b2d0e
font_01_cff_off00003691.bin pdf-font-stream PDF embedded font (cff) at offset 0x3691 2789 bytes
SHA-256: 5673cdba6e8d5992d1d05f6c777c5574a1f49f99d821bd8ead4b8123ffc2ec64
font_02_cff_off00088acd.bin pdf-font-stream PDF embedded font (cff) at offset 0x88ACD 6421 bytes
SHA-256: 4f267c85b89e6fc9ee8b3e4a01806e6f5a805c14e2111e34d51fdf36007a1791
font_03_cff_off0008a105.bin pdf-font-stream PDF embedded font (cff) at offset 0x8A105 476 bytes
SHA-256: 129b2c4ae4f4a5fb8984be184f5023011014931bbd0054a167aa17b69abbd8d2
font_04_cff_off0008a3e8.bin pdf-font-stream PDF embedded font (cff) at offset 0x8A3E8 5260 bytes
SHA-256: d8c7188244ae0a8ef8c65bb9a045cdde73619c23714d621d9f578c26370f0a96
font_05_cff_off0008bb6d.bin pdf-font-stream PDF embedded font (cff) at offset 0x8BB6D 432 bytes
SHA-256: ac353bdfb1211c1b172673d981e583b1fc72aeb8a992d0c256b2dd138e093c1d
font_06_cff_off0008bda9.bin pdf-font-stream PDF embedded font (cff) at offset 0x8BDA9 3950 bytes
SHA-256: 71fd54b8e047f12e8160b06c9d1183a6c371715d7f70900fabbe3c74fffc4f75

Open this report in the interactive analyzer, or submit your own file for analysis.