Malicious PDF — malware analysis report

Static analysis result for SHA-256 67b0a3faec1ecab8…

MALICIOUS

PDF

3.24 MB
MD5: 8ae5d5a2588959b0d99dea9396d905e5 SHA-1: 0ff3e479a7f3d55ea92f70ba1ad7955bfa502d88 SHA-256: 67b0a3faec1ecab87e553f8c89a67b5520720a66e584e33abb2d6bec249e7c15
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1105 Ingress Tool Transfer

The PDF contains embedded JavaScript that triggers the export and launch of a file named 'MACHINE QUOTATION.uue'. This file is a ZIP archive containing 'MACHINE QUOTATION.exe' and associated DLLs, indicating a dropper functionality. The ML classifier and ClamAV detection strongly support a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 6

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Win.Malware.Aotera-10059964-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Aotera-10059964-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
MACHINE_QUOTATION.uue
64ea286cdc4d8528fc1ed939719a2933579c48b049d84578e27e654ab1bd8164		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5A0 3418484 bytes
javascript_obj0009_000.js
d9541c52d61d2d777f75c0c2feabf26ed48cf72fa57421fc83e9464dcc63cae2		 pdf-javascript-stream PDF /JS object 9 at offset 0x33CE1D 70 bytes
javascript_obj0009_001.js
dd7a43b2f7d579fed189dab616bf65a4646d1c6bcaac008931a5b23be75c0a4b		 pdf-javascript-stream PDF /JS object 9 at offset 0x33CE1D 68 bytes
hidden_pdf_zip_off002af3bf.zip
ac79fcbd75cde2eabba89dfb31a52478307f7c095e21c577e636854b7fdd0180		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x2AF3BF 580167 bytes
combined_document_js_000.js
b2965e81cd43d3667f2f4ca9d9fa6be456f34c53d1e4a92eb31aae5bbbd57a94		 deobfuscated-js combined document JavaScript streams at offset 0x33CE1D 139 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.