PDF malware analysis — malicious · 61c654415fb921c3

MALICIOUS

PDF

762.0 KB

MD5: b153598d30c68d481c01d53588c55d82 SHA-1: 9dd72ea5b1b2901e16a0274878e02584952f0c79 SHA-256: 61c654415fb921c3b00f549bcf70936b967ea1548963d6b013f07c72f85dafc7

96 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and triggers PDF_JS_EXPLOIT_CLUSTER heuristics, indicating an attempt to exploit vulnerabilities. The presence of XFA forms further supports this. The embedded JavaScript likely downloads and executes a second-stage payload, as suggested by the PDF_EMBEDDED heuristic and the extracted file artifacts. The URLs found, while mostly benign, include one unknown reputation URL that warrants attention.

Machine Learning

Nyx PDF Classifier clean score 0.0510

Heuristics 7

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ocsp.verisign.com0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xfa/promoted-desc/
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.8/
- http://www.xfa.org/schema/xfa-template/2.8/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.xfa.org/schema/xfa-template/2.5/
- http://www.xfa.org/schema/xfa-locale-set/2.1/
- http://ns.adobe.com/xfdf/
- http://www.xfa.org/schema/xfa-form/2.8/
- http://cgi.adobe.com/special/acrobat/update
- http://crl.verisign.com/tss-ca.crl0
- http://crl.verisign.com/ThawteTimestampingCA.crl0
- https://www.verisign.com/rpa
- https://www.verisign.com/rpa01
- http://crl.verisign.com/pca3.crl0
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
- https://www.verisign.com/rpa0
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 13

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0189.bin` `6a92e1d26e0b74da3eaac0204358dc286d80a38e407516f1a71149607a9887b9`	pdf-embedded-file	PDF EmbeddedFile object 189 at offset 0x5B1E6	163 bytes
`embedded_file_obj0190.bin` `384d654330ebd80971db35cc8b3e9570849c2441ff26f195ec4f6980d4645b98`	pdf-embedded-file	PDF EmbeddedFile object 190 at offset 0x5B2D9	1968 bytes
`embedded_file_obj0191.bin` `a4b2f2854b7f81fd86b175364b1044ee1f0459b3bd72bb36c034caceb9cd02ba`	pdf-embedded-file	PDF EmbeddedFile object 191 at offset 0x5B653	423970 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`embedded_file_obj0192.bin` `bac3e4de866ac1448036bb843b9b97f7525c1e48b40f0b6335cf6bfcf93c9858`	pdf-embedded-file	PDF EmbeddedFile object 192 at offset 0x75A62	2415 bytes
`embedded_file_obj0193.bin` `518dfeab6de10097a64e1247ce07218a7ada8a641b9eecaabf3dd70e266a1f0b`	pdf-embedded-file	PDF EmbeddedFile object 193 at offset 0x75D55	3869 bytes
`embedded_file_obj0194.bin` `1a9a939c50d732377ffe1ac5a0a72a9d9e60c518c2293c000c565bd2ead9c3f6`	pdf-embedded-file	PDF EmbeddedFile object 194 at offset 0x76262	1856 bytes
`embedded_file_obj0195.bin` `2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19`	pdf-embedded-file	PDF EmbeddedFile object 195 at offset 0x7659F	80 bytes
`embedded_file_obj0196.bin` `4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1`	pdf-embedded-file	PDF EmbeddedFile object 196 at offset 0x7664A	56 bytes
`stream_002_off00000705.js` `f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x705	1367 bytes
`stream_003_off000008ed.js` `91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x8ED	902 bytes
`stream_018_off00003621.bin` `a22d44e3d44bc5349053b34b35da1c9b137df3fd2440e73dcc7cae031f1f1666`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3621	52052 bytes
`objstm_1242_00.bin` `2074d96620530907368084751f834dd84ce4e5e622a529561220116cae3a936d`	pdf-objstm-decoded	PDF /ObjStm 1242 0 obj (inflated)	15790 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`font_00_sfnt_off00076751.bin` `c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x76751	95975 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.