Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b8f2473ac53f45b…

MALICIOUS

PDF

330.5 KB
MD5: 62c1034bb10a24d7469774057e0c920d SHA-1: 95c4d639c78b8264703bd3617b55c053f5b7ecaa SHA-256: 6b8f2473ac53f45bcbce44e4fed4c9c16afc124cdcf8b16b2b081e1efe8679ca
294 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that uses the `exportDataObject` and `nLaunch` functions to automatically extract and execute an embedded Windows executable named 'SSLTest.exe' upon opening. This is further supported by critical heuristics indicating an embedded PE payload and a dropper functionality. The embedded executable was identified by ClamAV as 'Win.Packed.Darkkomet-9819952-0'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Win.Packed.Darkkomet-9819952-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Darkkomet-9819952-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
SSLTest.exe
1599a2b5e4ee178baa2b5f375f4abbf4e7f57a72310fa48101b98ae359a87c1b		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x366 674816 bytes
Detection
ClamAV: Win.Packed.Darkkomet-9819952-0
Obfuscation or payload: unlikely
javascript_obj0009_000.js
7e5e947b19b492e13e6445474100ae8f3793cdb625b5a6e13c910464d4bfca69		 pdf-javascript-stream PDF /JS object 9 at offset 0x528AC 60 bytes
javascript_obj0009_001.js
3dfc783d864896b039db52cb7a45c5919fa7c56d05cf0e4e62d8500a30808540		 pdf-javascript-stream PDF /JS object 9 at offset 0x528AC 58 bytes
combined_document_js_000.js
0d26744a8064cd1de54f8e36f9b51db92175f89e6790b8d7112001c8068f157b		 deobfuscated-js combined document JavaScript streams at offset 0x528AC 119 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.