Malicious PDF — malware analysis report

Static analysis result for SHA-256 64d353c1dff9bd03…

MALICIOUS

PDF

6.47 MB
MD5: 9b804998ce80b4405bb7692094f2f2e3 SHA-1: 4463c9622b28ef57152ad75cbd000d578fb732b4 SHA-256: 64d353c1dff9bd03713f27fcc1c55ab1a5bfc6af50372bd700bd4c882401b2f4
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains JavaScript that uses the exportDataObject and nLaunch functions, indicating it is designed to automatically launch an embedded file upon opening. The embedded file is named 'test.doc', suggesting a lure to trick the user into executing a malicious payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
test.doc
b572c0ef43dd6c8e6fda9cdba2adb7ab8dfe074981d62d582d8457ae3f96c7f9		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x568 2260513 bytes
javascript_obj0009_000.js
f4202c85a4cb93d4b82b9bb0b4ea5e174d56cb4c465226dabd1c563690942529		 pdf-javascript-stream PDF /JS object 9 at offset 0x677BB9 57 bytes
javascript_obj0009_001.js
b8cebed679e527f70945c094cd6d1a6534ebe9b43e42651bc56cefb684263b2d		 pdf-javascript-stream PDF /JS object 9 at offset 0x677BB9 55 bytes
combined_document_js_000.js
e60daab43579d25aff483960fbdbd97820f26c372a72ad34ceb3140ad2331d93		 deobfuscated-js combined document JavaScript streams at offset 0x677BB9 113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.