Malicious PDF — malware analysis report

Static analysis result for SHA-256 648c4c41131b8db7…

MALICIOUS

PDF

374.9 KB
MD5: 9e672fb915a0858326bc6210042e3943 SHA-1: 0db5b3162d3bcf5c21fb240f105b1b0b62e5bc31 SHA-256: 648c4c41131b8db7ec817ad7238f02cc7a6cb6dba754b794b8d738694dae4e39
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file contains embedded JavaScript, identified as a PDF JavaScript exploit cluster. The JavaScript appears to be obfuscated and attempts to download a second-stage payload. The presence of XFA forms and JavaScript actions strongly suggests exploitation for client execution. The specific URL http://www.bitstream.com is flagged as unknown and is the only non-benign URL found.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9644

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0044_000.js
d04e3450f44051088f29c7aa78421ac3f17c77d1deab536fd91aff2563c9414b		 pdf-javascript-stream PDF /JS object 44 at offset 0x33C9 9306 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
font_00_cff_off00006094.bin
ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5		 pdf-font-stream PDF embedded font (cff) at offset 0x6094 1138 bytes
font_01_sfnt_off00006e86.bin
e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E86 8084 bytes
font_11_sfnt_off0001c43e.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C43E 65932 bytes
font_12_sfnt_off0002c867.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C867 65932 bytes
font_13_sfnt_off0003cc90.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CC90 65932 bytes
font_14_sfnt_off0004d0b9.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D0B9 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.