Malicious PDF — malware analysis report

Static analysis result for SHA-256 6357253f3c42320f…

MALICIOUS

PDF

849.4 KB Created: 2010-03-16 10:01:41 -07:00 Authoring application: Adobe InDesign CS4 (6.0) (via Adobe PDF Library 9.0)
MD5: 9ad03610e5baabfac1b8576102f126b2 SHA-1: ae2602713b48f60f942538dc280f8a51cd773e3f SHA-256: 6357253f3c42320f63111277973c6793b2d0f847ee4cf7a5a996ddb15b220550
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains multiple heuristics indicating JavaScript exploitation, including PDF_EVAL and PDF_FROMCHARCODE, and is flagged by an ML classifier. The embedded JavaScript streams, though simple, are part of a larger exploit cluster. The presence of U3D and JPXDecode related heuristics also suggests exploitation of known PDF vulnerabilities. The unknown reputation URLs are suspicious and likely related to the malicious payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8340

Heuristics 10

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.kaon.com/aboutPDF
    • http://www.strata.com/rd/live3dmenu.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xmp/InDesign/private

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0406_000.js
578aed31eeb16c7d5addb14deabb33c6d1ff616db3cf6757e3c42ed2a6f5cd20		 pdf-javascript-stream PDF /JS object 406 at offset 0xD3394 32 bytes
javascript_obj0408_001.js
cb0b3d4c5f194e021b9a0221da3eb5e452e0eca53b84aa0f617c46eec75a9684		 pdf-javascript-stream PDF /JS object 408 at offset 0xD34E7 33 bytes
javascript_obj0418_004.js
ef3ea8a689375d1da4f1dc9d6cd8cab6faef31e75fc06dc5a4a8f1b59794f706		 pdf-javascript-stream PDF /JS object 418 at offset 0xD3B7E 33 bytes
stream_002_off000004a5.js
6f22ebc6d14801a4c70f679332717a9523edef48c0bcd7588086be8b3669f014		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A5 40153 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 eval/decoder/string-building token(s).
stream_031_off0001ebf1.bin
d76eb683bf59804329c6415801f74bb0efe581a47992b4679e7b786355019205		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EBF1 471564 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
stream_032_off0008d899.js
5e4466127e58b0736f80dd9403acd8bdbe886be31e6d9f951f74116f8b39955a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8D899 92994 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
objstm_0360_00.bin
a4f07c689288bdd58732900f4c71ef42b26d3c313bd731566d9075715935e090		 pdf-objstm-decoded PDF /ObjStm 360 0 obj (inflated) 4437 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
objstm_0060_00.bin
17919afaa47e46b0d65fa1d2613cc80472f97a9e92be9c50edd5a91e89e5062c		 pdf-objstm-decoded PDF /ObjStm 60 0 obj (inflated) 8638 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
objstm_0425_00.bin
e33fe476d011f62d5b3cbbf6a6bece98609791ec38b0fa9f6d43d0141adeb99e		 pdf-objstm-decoded PDF /ObjStm 425 0 obj (inflated) 3127 bytes
font_00_cff_off000045d6.bin
efb892fedc535b39bed7edff6cd8c7b16d628dcc0ad0df8937593d749ab0fdc0		 pdf-font-stream PDF embedded font (cff) at offset 0x45D6 5762 bytes
font_01_cff_off000058ae.bin
150e17044d4879b1353de1765b24d85b0b93e36bd3fc961aa3d9bbd044e83f57		 pdf-font-stream PDF embedded font (cff) at offset 0x58AE 3172 bytes
font_02_cff_off000071f8.bin
9ae12b2d01497b5b6126cafe9f9d160f7448874c32a46ea600f22848d1355f63		 pdf-font-stream PDF embedded font (cff) at offset 0x71F8 1292 bytes
font_03_cff_off0001a89d.bin
7ac0d42f0bd97cbd69bc489433a62995fe8030376befb5f0ff88fcc2daeb1c1f		 pdf-font-stream PDF embedded font (cff) at offset 0x1A89D 870 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.