Malicious PDF — malware analysis report

Static analysis result for SHA-256 676fb737681d0ff6…

MALICIOUS

PDF

66.4 KB
MD5: 6889a1cb326864b56efa1ddc988a633f SHA-1: fb0b3447925fca034b414c0ac312fec9019b6a98 SHA-256: 676fb737681d0ff6f58fcaee325ac4821878b257037d97dd6dbc004bdf31df3b
294 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that uses the exportDataObject and nLaunch functions to automatically extract and execute an embedded file named 'ReverseCrypter.exe' upon opening. This behavior is indicative of a dropper, designed to launch a secondary payload, which ClamAV identified as 'Win.Ransomware.Hiddentear-9752356-0'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Pdf.Dropper.Agent-7268409-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7268409-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ReverseCrypter.exe
2a0a80bdf32286a2574c29a378a455dc73729766f17b65fe7f6d030bcf00c99e		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3C3 135680 bytes
Detection
ClamAV: Win.Ransomware.Hiddentear-9752356-0
Obfuscation or payload: unlikely
javascript_obj0009_000.js
0d1b3d1aee799368fca7a814e4216ab4a0346230de0adcecbf097bcdab36965a		 pdf-javascript-stream PDF /JS object 9 at offset 0x107CB 67 bytes
javascript_obj0009_001.js
9865b873295f238e6f0ad36b40eb11bd674b1aadaff1f7ee7d0f06c46b2fb753		 pdf-javascript-stream PDF /JS object 9 at offset 0x107CB 65 bytes
combined_document_js_000.js
a434feb53955af4920d71df340124dc0a6cce0425bc8bd6ce6b2fa52383b581a		 deobfuscated-js combined document JavaScript streams at offset 0x107CB 133 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.