Malicious PDF — malware analysis report

Static analysis result for SHA-256 64da6fe2e0bf37bb…

MALICIOUS

PDF

80.6 KB Created: 2003-04-29 14:05:33 -03:00 Authoring application: LiquidOffice Form Designer (via Adobe PDF Library 5.0)
MD5: 6d5c079af5b22425fa029b6a361ff66b SHA-1: 5884738e514a125114e15a98420c95e08a293dc0 SHA-256: 64da6fe2e0bf37bb23a064dbc97f37b294429e23cfdf6bccd7c92172f2e0ef85
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains multiple embedded JavaScript streams, with a critical heuristic firing for a PDF JavaScript exploit cluster. The ML classifier also flagged the PDF as malicious. The embedded JavaScript is likely designed to exploit a vulnerability and download a secondary payload, as indicated by the heuristic signals and the presence of JavaScript code. The URL http://cgi.adobe.com/special/acrobat/update was found embedded in the document text.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8569

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://crl.adobe.com/prodSvce.crl0
    • https://www.adobe.com/misc/pki/prod_svce_c
    • http://crl.adobe.com/cds.crl0���~�|�z0x1
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0079_000.js
b220545ef84cc4c82317f3a93e3fdb942c5011b13a9b935388e73505f1e8dd03		 pdf-javascript-stream PDF /JS object 79 at offset 0x356A 725 bytes
javascript_obj0080_001.js
d90fbad9045e1fef122c40ff44c856ddc55107faccd87577c8cdbd53a156115c		 pdf-javascript-stream PDF /JS object 80 at offset 0x3696 3018 bytes
javascript_obj0081_002.js
c0173e4550b01946dd335cc34a776ca0e72da5f1bbb82c9db781155ae0c9430d		 pdf-javascript-stream PDF /JS object 81 at offset 0x3A74 7434 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0082_003.js
b2243e8f9d8acffeb720263cb4d7e1afafeee62821a355011cc024c713b3b6fb		 pdf-javascript-stream PDF /JS object 82 at offset 0x434B 16042 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
javascript_obj0083_004.js
fad19605a2fbd8c3711117e899478117ccedb34087c12a457cfb236698a7b441		 pdf-javascript-stream PDF /JS object 83 at offset 0x5526 12956 bytes
javascript_obj0084_005.js
ae82ed22803c9e2d4c6c211368e684ed61e15325bc676bdddf7bfe1d26a3a323		 pdf-javascript-stream PDF /JS object 84 at offset 0x5C61 5759 bytes
javascript_obj0085_006.js
83189639e63d42922961ab3ec4654d63177f5dea13beaff158d52f2082718c51		 pdf-javascript-stream PDF /JS object 85 at offset 0x628D 6358 bytes
javascript_obj0086_007.js
e033b2fa12ebc9b3025976d0aa22fb497efc3de808b9c158794684137cdbc591		 pdf-javascript-stream PDF /JS object 86 at offset 0x6920 4916 bytes
javascript_obj0087_008.js
87b21688379fffc19c5b92b6f60f37a5395d1ad4ee9c52dee6aa947a51aab009		 pdf-javascript-stream PDF /JS object 87 at offset 0x6FA9 16215 bytes
javascript_obj0088_009.js
a039de835df1ab680c5a3f7bd1726b4dc29e82f2df86dc93164a5f7efbdd5927		 pdf-javascript-stream PDF /JS object 88 at offset 0x7EC6 1025 bytes
javascript_obj0089_010.js
808c684c6f98ffc90cd194b3ff2b549c296c326f9d54dd9bf7f206ccedbd9e39		 pdf-javascript-stream PDF /JS object 89 at offset 0x807C 2390 bytes
javascript_obj0090_011.js
b04310e5e9133763ee521be79d844d7edc6a9912733c38f65ad09d0f9e566eb4		 pdf-javascript-stream PDF /JS object 90 at offset 0x8439 4241 bytes
javascript_obj0091_012.js
507a04a13d91f8276e3759ca76587d1180059c598b1736cbb62eae82a9ee50e0		 pdf-javascript-stream PDF /JS object 91 at offset 0x8B0F 8449 bytes
javascript_obj0092_013.js
3710c4cc8c4dc6aa8bc44fd05f483e84d0b464aade31b5657f5461cac9b704f9		 pdf-javascript-stream PDF /JS object 92 at offset 0x94F8 1029 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
javascript_obj0126_016.js
3bf420284afcc88ae3a1ca6e4771ab2c2785e65ab8943897c7964ce5f9eb908d		 pdf-javascript-stream PDF /JS object 126 at offset 0xC9B7 44 bytes
javascript_obj0156_018.js
1cbe3230bb47687bb85c260df7d916d6169a08e3fbcd9258f74c67716912c6a9		 pdf-javascript-stream PDF /JS object 156 at offset 0xDC16 372 bytes
javascript_obj0158_019.js
292f5eec823ac9a29d2b678f07695a400782d715ec1ed8cf3f44d54ac74928c6		 pdf-javascript-stream PDF /JS object 158 at offset 0xDD7F 392 bytes
javascript_obj0160_020.js
2f3a7b409302734f22a8ba5616f7c840e218882ac559109832417c6922d82ea3		 pdf-javascript-stream PDF /JS object 160 at offset 0xDED2 338 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.