Malicious PDF — malware analysis report

Static analysis result for SHA-256 6300e7eac89c9c7c…

MALICIOUS

PDF

738.2 KB Created: 2005-08-31 12:45:52 UTC Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 5.0 (Windows))
MD5: 6f60d65b175ff3105a79a7dee1c70b07 SHA-1: 0acb46938b32682b0bc0130a06450907bb87598e SHA-256: 6300e7eac89c9c7ca8ccbf413432fd1bb3ad44cea0b721d4935d7630515ffd4a
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that uses eval() and String.fromCharCode() to construct strings, indicating obfuscation and potential exploit code. The script appears to be designed to prompt the user for input related to a serial number or license, which is a common lure for downloading further malicious content. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic further supports the idea that this document is part of a multi-stage attack, likely involving a password-protected archive.

Machine Learning

  • Nyx PDF Classifier clean score 0.1747

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.iec.ch

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0455_000.js
ca2c34fbd62c0f2b212d935995d68160a4b677acb6920f60baf443e9e3c891cc		 pdf-javascript-stream PDF /JS object 455 at offset 0x8D66A 1446 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_135_off0007e476.bin
a404d1dde3c08e0c4a83355f4e1538b20532fb6f6abb2a31c5afb5cd64ad9fab		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7E476 51488 bytes
icc_00_off0008a265.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x8A265 3144 bytes
font_00_sfnt_off00072005.bin
3946f8be56c10737cd247e5a8a6fd840d586053b9b89ea7d295691a2f3bf1930		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72005 22064 bytes
font_01_sfnt_off000740d1.bin
6de27307f321c4dc59d8522a0d001584c2d20468d27219d5c0d7aad93a386553		 pdf-font-stream PDF embedded font (sfnt) at offset 0x740D1 20748 bytes
font_02_sfnt_off00078b16.bin
3d075071835bbaf38975498783253250a6d525b4622cf6d1d99f44c73e548d9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78B16 40944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.