Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a4910f89a563471…

MALICIOUS

PDF

133.5 KB
MD5: 20ae258d73296fa3dd40163287b0212f SHA-1: 17a022a89e444ff32489285c6e9e53e539fb97b4 SHA-256: 6a4910f89a563471a1bbfdab3a6f119ffbb50eda46c184ee4c53fcbfa6e791ab
154 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified as an exploit cluster targeting XFA forms. This JavaScript is likely responsible for downloading and executing a secondary payload, as indicated by the 'PDF_JAVASCRIPT' and 'PDF_JS_EXPLOIT_CLUSTER' heuristics. The presence of an embedded URL, although benign in reputation, suggests a potential communication channel for payload retrieval. The ClamAV detection 'Pdf.Exploit.Agent-20191' further confirms the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier clean score 0.0090

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-20191 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-20191
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0005.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1D874 85 bytes
embedded_file_obj0006.bin
dc8d1dfebf3f53064f73d28f29f1a8bb97e4aed83aa9896766e2720919ecf5e0		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x1D926 1472 bytes
embedded_file_obj0007.bin
48a66cb7622e0151dab8fb7449e54525e5e60a78572f225fdf5c6b4844b08b0c		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1DBE1 38562 bytes
embedded_file_obj0008.bin
d3d9b8d8f552508d6de22d8f21efcff2cab83583f01c3edc27a6c9dc74686ac7		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1F1EB 1764 bytes
embedded_file_obj0009.bin
aafb31c49fd20a0922813ca9f195e935219e227be7c7eadb0584774a6039f751		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x1F49E 2917 bytes
embedded_file_obj0010.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x1F817 200 bytes
embedded_file_obj0011.bin
e64ab356b3cbe811fd7be5c28b32ebeeedb647974306c73ecf26c44576109fa4		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x1F90B 835 bytes
embedded_file_obj0012.bin
a0df1639a9ff6b2a542a02ab599149a32b41c0b4e8e9d0f95ac61f073cacc668		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x1FAE4 96 bytes
stream_002_off00002ef3.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2EF3 1532 bytes
stream_003_off000030de.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30DE 870 bytes
stream_074_off0000b5a8.bin
2fb8d0db88ecab4121b7b00a88131109a056aa06b237bf7e92f5feefaadd95fb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB5A8 56704 bytes
objstm_0163_00.bin
8993794d8f5843948e6237bbccbab69d0030d782478d664f9c005b10ffebdccf		 pdf-objstm-decoded PDF /ObjStm 163 0 obj (inflated) 32963 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.