Malicious PDF — malware analysis report

Static analysis result for SHA-256 63f61b64727573a4…

MALICIOUS

PDF

96.5 KB Created: 2008-10-24 10:30:25 -04:00 Authoring application: Adobe Designer 7.0
MD5: 5fb005c7cb0499d42a699f3e3d45216e SHA-1: 7eaf3636416ed26a66535ce896320e30b5d8a9a1 SHA-256: 63f61b64727573a4c08d3d836456bf2da8b731fc81a083c919fcce1499920833
188 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document utilizes XFA forms and embedded JavaScript to masquerade as an invoice or payment request. The embedded JavaScript, specifically the script that constructs the URL "http://cgi.adobe.com/special/acrobat/update", is designed to prompt the user to download a malicious update, thereby executing a second-stage payload. The ML classifier strongly indicates maliciousness, and the combination of XFA, JavaScript, and the lure suggests a targeted attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9478

Heuristics 10

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.1/
    • http://www.xfa.org/schema/xfa-template/2.2/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0492.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 492 at offset 0xFB52 85 bytes
embedded_file_obj0493.bin
a7f660e6b2eefd54c42a031c239a0fbcf718e7d98593eda9fe7d7174641478bb		 pdf-embedded-file PDF EmbeddedFile object 493 at offset 0xFC05 1405 bytes
embedded_file_obj0494.bin
678fb0573b533ed4ec0e0416a2b37fadfd674975e1d823dc8872e7ac991fde48		 pdf-embedded-file PDF EmbeddedFile object 494 at offset 0xFE9E 152796 bytes
embedded_file_obj0495.bin
1de67b9886d67f795e1e6c9cbfb16ef0cd48e69fd2688c811f15e1d18b96c67e		 pdf-embedded-file PDF EmbeddedFile object 495 at offset 0x14776 1172 bytes
embedded_file_obj0496.bin
45cb45a32bf7d9dcb5486165d40d2b7389308353b349892a1a15022129ca22e8		 pdf-embedded-file PDF EmbeddedFile object 496 at offset 0x149AC 2270 bytes
javascript_obj0484_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 484 at offset 0xF3CB 870 bytes
javascript_obj0486_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 486 at offset 0xF552 2794 bytes
javascript_obj0488_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 488 at offset 0xF844 1528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.