Malicious PDF — malware analysis report

Static analysis result for SHA-256 614022894545924a…

MALICIOUS

PDF

197.0 KB Authoring application: FOP 0.20.5
MD5: 32ffe2ead24c12c52f9edc1ab59e3083 SHA-1: 56a06b894f935b96e3bbb45e675efdecbaa75ec7 SHA-256: 614022894545924ae8cbba0ad9d86fa3487c9bc29a1a28428c7bcb9fd53de0d7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that attempts to launch a URL to 'verify.xyzmo.com/UploadForm.aspx'. This script is designed to trick the user into uploading a file, likely for further malicious processing. The ML classifier also flagged this PDF as malicious with a high score.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8477

Heuristics 6

  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xyzmo.com
    • https://verify.xyzmo.com/UploadForm.aspx?MyFile=
    • https://verify.xyzmo.com
    • https://verify.xyzmo.com.\n\nThe

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js
592db10defe20d4bb92ec7389df4a680eaaac281962e22d216c9f1a50a755d2a		 pdf-javascript-stream PDF /JS object 38 at offset 0x298B3 1819 bytes
font_00_cff_off0002747a.bin
c566766611233969cb6c10b708f63850c97eb37747205be6d3d09e6bd18004b9		 pdf-font-stream PDF embedded font (cff) at offset 0x2747A 1009 bytes
font_01_cff_off00027878.bin
2809ffbeff8ddfc09c4ca0296574cbf7e6ff9e3dfca4298b6d751edb5ef5cc2b		 pdf-font-stream PDF embedded font (cff) at offset 0x27878 5233 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.