Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a8720aa7bcebe60…

MALICIOUS

PDF

294.0 KB Created: 2007-03-23 14:48:51 +11:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 6.0.1 (Windows))
MD5: 656fda65ad51c8b29562068f82bca672 SHA-1: cd3be2ff419079f66c78b5db7e8454607d9e1bcc SHA-256: 6a8720aa7bcebe6093d8a20bce51bae4af79d5cfeb27023b5251f243fcd65dd1
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes eval() and String.fromCharCode() to obfuscate its actions. The script reconstructs a URL, likely for downloading a secondary payload. The presence of PDF_JS_EXPLOIT_CLUSTER and ML_NYX_PDF_MALICIOUS heuristics indicates a high likelihood of exploitation. The reconstructed URL is 'http://color.org/color.xmp'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9377

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
PM.joboptions
5cf97cfee76c3bcd5d889b3138e05d6571e7d097b173dd3eee4be6813c9dd743		 pdf-embedded-file PDF EmbeddedFile object 92 at offset 0x11505 12758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
javascript_obj0026_003.js
e5629b846fc6e20a44c0c60417741ee5dae627e30839121b3194fbf848c99ec2		 pdf-javascript-stream PDF /JS object 26 at offset 0x1DD8 5775 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
font_00_cff_off00013992.bin
66b568c63de9f6bf19ac6b22e6bb9fbdfcbfdb789a7d8ef22fe68a20c41b1738		 pdf-font-stream PDF embedded font (cff) at offset 0x13992 1720 bytes
font_01_cff_off00014004.bin
caad8bd8dc8464a6915782714ecde11465790f5f781f4dc806026ae9d0ba8630		 pdf-font-stream PDF embedded font (cff) at offset 0x14004 824 bytes
font_02_cff_off00014389.bin
a6dc06179917b7934eebd7c472604ce3ad1289f79feb0b8bdc540354bb9baa26		 pdf-font-stream PDF embedded font (cff) at offset 0x14389 6344 bytes
font_03_cff_off0001590e.bin
7b72eff1c510ca6810551336772e863c9c20d59276d90f71f775be4acdc1d257		 pdf-font-stream PDF embedded font (cff) at offset 0x1590E 3047 bytes
font_04_cff_off00016433.bin
72c500ca285983f4c83c79052fb4a04561231a16de22ad5623f99d4d43b274c4		 pdf-font-stream PDF embedded font (cff) at offset 0x16433 5495 bytes
font_05_cff_off00017697.bin
30d50c85aa709192f00017e6ee6aa5bb5996de9f273b451a1004ccf4e6e74e67		 pdf-font-stream PDF embedded font (cff) at offset 0x17697 16542 bytes
font_06_cff_off0001a6af.bin
6a8b0673f0b92cc505847e4335f8bfb18f60b3619c7f5fc73b92be209fc81ba6		 pdf-font-stream PDF embedded font (cff) at offset 0x1A6AF 9614 bytes
font_07_cff_off0001c5ed.bin
f6d8880735d2495d620eb78f9743bb32fac909cb58fb42398775c8f2f7b3e375		 pdf-font-stream PDF embedded font (cff) at offset 0x1C5ED 154 bytes
font_08_cff_off0001c6da.bin
6e066f27adb83acaeec904cd9ff2f04cbea0df0bb14f920eebed36485a5ff0e7		 pdf-font-stream PDF embedded font (cff) at offset 0x1C6DA 6513 bytes
font_09_cff_off0001ddd2.bin
fa6da6454e2d77712ddfcd79b59850d36a89ad730d409a7e30e49c60eecb988b		 pdf-font-stream PDF embedded font (cff) at offset 0x1DDD2 7807 bytes
font_10_cff_off0001f90a.bin
71ed8cb41f1ee45a44bacb6f848f625ff0ccf4d62fce8ecf6edf18797833cd24		 pdf-font-stream PDF embedded font (cff) at offset 0x1F90A 1894 bytes
font_11_cff_off0001ffa4.bin
0888fcd61d63d6bc513bc23b06a814b268e4aa85ff0e303a7ed5681b33697a06		 pdf-font-stream PDF embedded font (cff) at offset 0x1FFA4 8886 bytes
font_12_cff_off00021b98.bin
29ed16f03b494a95fb0fb1dcb077a3dc38091c4a63a1cff67d61e840d5ff8150		 pdf-font-stream PDF embedded font (cff) at offset 0x21B98 1157 bytes
font_13_cff_off00021f3b.bin
e95d37a17f542c3e361adbed2914a0ea743a38ce27798260017228fea29ad572		 pdf-font-stream PDF embedded font (cff) at offset 0x21F3B 4704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.