Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a3f095706031245…

MALICIOUS

PDF

192.5 KB Created: 2011-10-24 11:43:49 +02:00 Authoring application: XContent (Pty) Ltd. (via iTextSharp 4.1.2 (based on iText 2.1.2u))
MD5: eacde9dc0f8a595a693cf1c10d98dfee SHA-1: de717a88fdc01d042890e707b8abd2b64385be89 SHA-256: 6a3f0957060312458a631a544877bf8c26738cf13d11282a13c5b378c9d82142
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains multiple JavaScript streams, including one that appears to be a modified version of json2.js, and another that attempts to submit data to 'migael@demo.local'. The presence of PDF_EVAL and PDF_JS_PROTOTYPE_POLLUTION heuristics indicates the JavaScript is likely obfuscated and designed to execute malicious code. The script's ability to submit data suggests an attempt to exfiltrate information or deliver a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7247

Heuristics 11

  • Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION
    PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xcontent.com/
    • http://erik.eae.net/simplehtmlparser/simplehtmlparser.js
    • http://get.adobe.com/reader/
    • http://get.adobe.com/reader/)/S/URI
    • http://get.adobe.com/reader/)/Type/Annot/Rect[0
    • http://www.JSON.org/json2.js
    • http://www.JSON.org/js.html
    • http://javascript.crockford.com/jsmin.html

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0067_000.js
5300a78c6bdcf92c8041aa4ed3d775b4c158a06abd7b84337dea8912060228c8		 pdf-javascript-stream PDF /JS object 67 at offset 0x2ABDC 57 bytes
javascript_obj0067_001.js
6bd26c858c57fa7dc6eeb0b6bf5e2230127abea8f98feae79f6bb2cd1700e400		 pdf-javascript-stream PDF /JS object 67 at offset 0x2ABDC 68 bytes
javascript_obj0067_002.js
793ee6f7d9df425c88079c4cb22358b26afc00213b0a88fc6ffdb26abfefc123		 pdf-javascript-stream PDF /JS object 67 at offset 0x2ABDC 69 bytes
javascript_obj0070_003.js
7acc69b13bf5d8c7b653738e96b9f9685263e2c2ec42d547f47deaadad03e458		 pdf-javascript-stream PDF /JS object 70 at offset 0x2AF88 57 bytes
javascript_obj0070_004.js
dd42f18882d9938d2943019d23254da9257ae576df06f5d2764768b23a1f637c		 pdf-javascript-stream PDF /JS object 70 at offset 0x2AF88 68 bytes
javascript_obj0070_005.js
3310797477d27ddfc8d20651fb51a63cb56d69c401da1fa9c0c9dec8e2a67d18		 pdf-javascript-stream PDF /JS object 70 at offset 0x2AF88 69 bytes
javascript_obj0070_006.js
10c994da38f2f8f5f3c03663baac56dcdee544c490baa2bb869ecbdf49a1c9f1		 pdf-javascript-stream PDF /JS object 70 at offset 0x2AF88 42 bytes
javascript_obj0070_007.js
9b5be65ad1e7ab91c02bc22d67ef9ff7d00e8d2e9d8d965b6f78ecfbf9cf07b6		 pdf-javascript-stream PDF /JS object 70 at offset 0x2AF88 33 bytes
javascript_obj0072_008.js
bc0bf6c45904d1e3ec8c85e3cbaec0ae09863fa9e37d3436b0c91ca467e8cb1a		 pdf-javascript-stream PDF /JS object 72 at offset 0x2B2FA 62 bytes
javascript_obj0073_009.js
d82ccb731e1237740e56c5b231c509bf0dc37a1042f598e5873e8cecd0971f99		 pdf-javascript-stream PDF /JS object 73 at offset 0x2B478 67 bytes
javascript_obj0074_010.js
7be5756d5d630264076f33e98cfe1a3c599421bcb04a7201f7159a8044f512c0		 pdf-javascript-stream PDF /JS object 74 at offset 0x2B5FE 67 bytes
javascript_obj0075_011.js
70258caac9631d1313d94f619d965f84d15e8e70ac295bcc796cea72d5b5c18b		 pdf-javascript-stream PDF /JS object 75 at offset 0x2B780 69 bytes
javascript_obj0076_012.js
cf5f08f266fce57ab0b88295abfb16985a25cd50718a640c17dc567ae3d02086		 pdf-javascript-stream PDF /JS object 76 at offset 0x2B906 75 bytes
javascript_obj0076_013.js
747a30df2710153c8e9212506e91333d7f221ab8b748ff3847fe0be58b88f6f6		 pdf-javascript-stream PDF /JS object 76 at offset 0x2B906 76 bytes
javascript_obj0080_015.js
b4a05ce1a336f93d3dbf3c777d35fd2d9e07d98355e6f2be7368d95c8edfcdb4		 pdf-javascript-stream PDF /JS object 80 at offset 0x2BDC9 47 bytes
javascript_obj0012_016.js
cf69b37ec38313bf96c586796d24cdb3eebd3959c4487ff752f33acbbdfb1993		 pdf-javascript-stream PDF /JS object 12 at offset 0xB7E2 17351 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0014_017.js
4053cb72eb75d9b7024f46556b66230442f3346e51895bc6728b6758623f8e05		 pdf-javascript-stream PDF /JS object 14 at offset 0xCD86 152175 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0062_018.js
0d385f6d75ee4ce6c535b67a8f1ca84517cfb225cf56b9908032d3956b2258cd		 pdf-javascript-stream PDF /JS object 62 at offset 0x2A740 515 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.