Malicious PDF — malware analysis report

Static analysis result for SHA-256 68f7441d06d1bd12…

MALICIOUS

PDF

584.1 KB Authoring application: PyPDF2
MD5: b22011d7606b13b9f24aadf16f7a33bb SHA-1: 09c00d62e62c27d9c3d3c0f6ff2bb817822c5135 SHA-256: 68f7441d06d1bd124b7d39eb8d613bc54fc3d6cc512d7fac669c989cac4378ac
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that uses the exportDataObject and nLaunch functions to export an embedded file named 'adobe_update.html' and then launch it. This is a common technique for delivering second-stage payloads, disguised as a legitimate update. The ML classifier strongly indicated maliciousness, and the embedded script's behavior confirms a dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9793

Heuristics 8

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI low PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
    • https://get.adobe.com/uk/reader/
    • https://get.adobe.com/reader/modal/?content=readerSystemRequirement&loc=uk&version=2021%2E005%2E20058&os=Windows&fakeajax

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
adobe_update.html
482348588ad1622966739ca2f84dabe9d1ea0c95976792571128c79a0a4e1a78		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x494 508467 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0004_000.js
d692f7662d545726b3153195252dcc81ba2e30e33a95a9662637802a7e9e8712		 pdf-javascript-stream PDF /JS object 4 at offset 0x27E 106 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0004_001.js
8daf2ab33e463fb46dbe0e000ffb0a9d7c0911b790cf1f20b31981e3f36b2207		 pdf-javascript-stream PDF /JS object 4 at offset 0x27E 92 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
combined_document_js_000.js
8b7f22b425408a6f5affcb45dda2e7a0c35b98f2e76a96af44b6e01130380220		 deobfuscated-js combined document JavaScript streams at offset 0x27E 199 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
font_00_sfnt_off0007febb.bin
155af8f01291e607f59df6e62c2c08cb4989cd882a2df56db771222d91f14aa9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FEBB 20776 bytes
font_01_sfnt_off0008312d.bin
9e4e3f12965c0d41143ab78585170c3f3cdad1b5b8f7bdd79d0c75611b1d695e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8312D 38572 bytes
font_02_sfnt_off00088f71.bin
b3d663073f10dc69ed2ade8e0ddeee3b7e20a30127907ae0d6db821003f3e4e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88F71 49460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.