Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a76a4b392510a6a…

MALICIOUS

PDF

6.9 KB
MD5: d284ec46ad9851d487778637d429c184 SHA-1: 4054bb34e48aeaeef5a50dec20af68733c943bfe SHA-256: 6a76a4b392510a6ae29898830899433579645a334b086f6c02d62bad049a4026
284 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that leverages the app.addToolButton/removeToolButton functions, indicating an attempt to exploit CVE-2014-0496. This exploit cluster is designed to achieve client-side execution. The document body contains a generic 'Who's there?' message, which is typical for phishing lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 9

  • app.addToolButton/removeToolButton — CVE-2014-0496 critical CVE exact CVE_2014_0496
    PDF JavaScript combines app.addToolButton() and app.removeToolButton() with heap-spray shellcode markers — the public Adobe Reader/Acrobat ToolButton use-after-free exploit shape for CVE-2014-0496. (matched in decompressed stream)
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
magellanic_venus_657.pdf
f098877db7743761ae8a3591c73370a75db9c688eea2fbcfb4ae42076662165e		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x36A 11600 bytes
magellanic_venus_657_1.pdf
48bb87feca1efede6a3e8399a9ff2fb1de82ff7c00d6917450063beede0f87e4		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x36A 5098 bytes
magellanic_venus_657_2.pdf
b2095ab7e3910032302050b3dc9ca71d0d408905c1b309d179ede898f3eb54db		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x36A 5758 bytes
magellanic_venus_657_3.pdf
b6b4154fc08ad89224509979da2deaa470a3ee03869ec84c79a821070f9807be		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x36A 6422 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.