Malicious PDF — malware analysis report

Static analysis result for SHA-256 6946628da55e9370…

MALICIOUS

PDF

66.4 KB Created: 2ê%…®d„eê (Ñ[›Ú$ÊégŠ± Authoring application: 6÷’ó! TV„² a‰ (via &áî(4pC0L„æS#ÐÑ,0ÂXhSJ‡Š.Zþú|#)
MD5: a4687c5ba96a63ddc60bfdebf80d291a SHA-1: 95c5d8a7adbc493645fccf92bc416e0fc7301722 SHA-256: 6946628da55e9370e3435e27be849097c3440d12fb42900857928b02771eda3c
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file is flagged as malicious and contains multiple JavaScript streams, indicating an attempt to obfuscate or hide malicious content. The presence of PDF_ENCRYPTED_WITH_JS and PDF_ACROFORM_BUTTON heuristics suggests that the JavaScript is likely used to trigger an action, possibly to download or execute a secondary payload. The obfuscated nature of the JavaScript streams prevents a more detailed analysis of its specific function.

Machine Learning

  • Nyx PDF Classifier clean score 0.1886

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0056_000.js
3bc80ec40ddc2a11c8e2fe6adcd0b03351c4b296889df91d41bcbfba1fd9d4ad		 pdf-javascript-stream PDF /JS object 56 at offset 0x3262 39 bytes
javascript_obj0057_001.js
38771303e5b133f65b24c6712ec9e6df4c1e3ff95fa802e5cb4ed740e2d70e27		 pdf-javascript-stream PDF /JS object 57 at offset 0x32B7 42 bytes
font_00_cff_off0000d835.bin
c44cd65996e9f9dd8817a7ec7206f3062375d228605792e68a56455880d73015		 pdf-font-stream PDF embedded font (cff) at offset 0xD835 4234 bytes
font_01_cff_off0000e636.bin
2cecbe8b6f759514471f90c8bf3730526aed63d89aab3e055b55221d48e3935b		 pdf-font-stream PDF embedded font (cff) at offset 0xE636 414 bytes
font_02_cff_off0000e811.bin
02068ddc41b36320ebec6c09196e913e4c790c024530a0e029fa389d0b97b4bd		 pdf-font-stream PDF embedded font (cff) at offset 0xE811 811 bytes
font_03_cff_off0000eb96.bin
4ad189ccebe6fa33c1c078fa405ff8b285af90b44534ffc0d6b6578e9d208866		 pdf-font-stream PDF embedded font (cff) at offset 0xEB96 723 bytes
font_04_cff_off0000eea9.bin
db299e91c973c3d114d721426a2f9b10431441db28b2cc33dbc7d008218e92f6		 pdf-font-stream PDF embedded font (cff) at offset 0xEEA9 1727 bytes
font_05_cff_off0000f4be.bin
7b9b433ab4f99691f095ca965a72edf1d22ab500bc21d06dde5454dd6a2f831a		 pdf-font-stream PDF embedded font (cff) at offset 0xF4BE 311 bytes
font_06_cff_off0000f64d.bin
851a852f0cba30314e3d033ab0d5905f22358ecb6c53e9f25782fe4b49839e0b		 pdf-font-stream PDF embedded font (cff) at offset 0xF64D 868 bytes
font_07_cff_off0000f9d0.bin
c12f630959033b02bcc309ffc1974f107e37a6a74c2233bcb0107416fa3c0194		 pdf-font-stream PDF embedded font (cff) at offset 0xF9D0 532 bytes
font_08_cff_off0000fc38.bin
f1a508ea4ededee9da52b47cd65baf7ff8c5758b9ed1085b1eec77cc6e3674b4		 pdf-font-stream PDF embedded font (cff) at offset 0xFC38 926 bytes
javascript_obj0043_000.js
90caf004168c6cb914678eb95421811cdf32beec0794bcc4859b661941b51a35		 pdf-javascript-stream PDF /JS object 43 at offset 0xEEB3 39 bytes
javascript_obj0044_001.js
f3b4d2680a3d8f4cc8e7b77143f4db26eda4a52132200414a1d5a118681139dd		 pdf-javascript-stream PDF /JS object 44 at offset 0xEF00 42 bytes
javascript_obj0045_002.js
ec9dce4cf77f2df562b6d950c05ae624a2f9948927e4a20738cf10027bc065db		 pdf-javascript-stream PDF /JS object 45 at offset 0xEF53 39 bytes
javascript_obj0046_003.js
064805f014d6d4b9b4e19a4c8a538349245aee88a5514b13d189759c30b83885		 pdf-javascript-stream PDF /JS object 46 at offset 0xEFA0 42 bytes
javascript_obj0047_004.js
986496f812e9b6f1d93bcfc2a5d2ea08553c10734c41658def14af4c2269a634		 pdf-javascript-stream PDF /JS object 47 at offset 0xEFF0 39 bytes
javascript_obj0048_005.js
002877a680752239bbebc66151277c1ec7b6154583dd405b933302ee6e0648a7		 pdf-javascript-stream PDF /JS object 48 at offset 0xF03D 42 bytes
javascript_obj0049_006.js
81aa12f2fb2469ce48a942f68caaa5c823cd17605b61df362e9916e5f95c6f3c		 pdf-javascript-stream PDF /JS object 49 at offset 0xF08E 39 bytes
javascript_obj0050_007.js
449a745a170d06188e6a6e6a8d52858577eeaf728ade8e5e22e56ff2744ee5ee		 pdf-javascript-stream PDF /JS object 50 at offset 0xF0DC 42 bytes
javascript_obj0051_008.js
d625bef9217f52a7b34ad412c14bd4972ca86a2d4032241e1d7aa79e2748c076		 pdf-javascript-stream PDF /JS object 51 at offset 0xF12E 39 bytes
javascript_obj0052_009.js
b6be4829a09c2447bea30f1082d3c6e9ecedf776268a41de2ec3e4c241387679		 pdf-javascript-stream PDF /JS object 52 at offset 0xF17C 42 bytes
javascript_obj0053_010.js
5262b636da4d2e3b85c366c399e382349a84e2c90eeb3f2458b9425ea4fc6d80		 pdf-javascript-stream PDF /JS object 53 at offset 0xF1CD 39 bytes
javascript_obj0054_011.js
d49dc98548537ce27bd8541347efddec303ad3cb7ee397888e2a709d3bd0e910		 pdf-javascript-stream PDF /JS object 54 at offset 0xF21A 42 bytes
javascript_obj0055_012.js
817825b6530d21e377ade44fc7c478a9a9ddab8dae05390d3bdc4677cc47926f		 pdf-javascript-stream PDF /JS object 55 at offset 0xF26A 39 bytes
javascript_obj0056_013.js
d353207b6a49063710ac548745b53864184f9527fc5e984e68a6dd61430d866a		 pdf-javascript-stream PDF /JS object 56 at offset 0xF2B9 42 bytes
javascript_obj0057_014.js
db6faef0f890480f893e578b43b93adf722b8dd84d17344f2feac1431a288ce1		 pdf-javascript-stream PDF /JS object 57 at offset 0xF30A 39 bytes
javascript_obj0058_015.js
30f5792394124de14b58e335fab3e4eaeae4e393ac166515f3cc1357c0460dd9		 pdf-javascript-stream PDF /JS object 58 at offset 0xF35A 42 bytes
font_00_cff_off00008c23.bin
d090ef3b17bfe14820a7e000292be2ec1ca11ba5c06e1bb290e16f6b9672331b		 pdf-font-stream PDF embedded font (cff) at offset 0x8C23 311 bytes
font_01_cff_off0000b8a5.bin
a9a1b775c37ac64e8d84b784373537412ca6fe38eb966078568eda00ad5aa233		 pdf-font-stream PDF embedded font (cff) at offset 0xB8A5 811 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.