Malicious PDF — malware analysis report

Static analysis result for SHA-256 6aa600ab682cbadc…

MALICIOUS

PDF

206.2 KB
MD5: bf0bc4497e2a868b2d93631d06349e25 SHA-1: e5aa29346e3180586377bec45db61a26e0d163ba SHA-256: 6aa600ab682cbadc6d07b8dd05caf9053bb0f1284f64b9cf84169819ad3b5b32
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript that is heavily obfuscated but appears to be designed to exploit a PDF vulnerability. The primary finding is an embedded Windows executable payload, indicating the document's intent is to deliver malware. The JavaScript likely facilitates the execution of this embedded payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
b4308f69c6a5f62b339168e59834d6d75a1a29918b0fba50873800294b6fb5cc		 pdf-javascript-stream PDF /JS object 12 at offset 0x31123 14428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_000_off00000339.bin
e1d165d3f557c65da2c5d54e7f3961dedee9b6ec7579aeb3886b802d48233423		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x339 297504 bytes
embedded_pdf_0002cd47.exe
a476004091f95fb0998e0d635cf07a643757faa1c9b7f83d82eefd4313ec7ff9		 embedded-pe PDF decompressed stream PE payload at offset 0x2CD47 114706 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.