Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d45a03b32c4a9ba…

MALICIOUS

PDF

236.8 KB First seen: 2022-06-24
MD5: 96d95ee6d0c9da16d245579ad1ff2e9f SHA-1: f852ac58b11e6b314271e2afdd33da84fc3cb8d8 SHA-256: 6d45a03b32c4a9bab48c75bec8443b5af40ae43e055db77796a6328cb6e87ffe
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic 'PDF_JS_EXPORT_LAUNCH_DROPPER' indicates that this PDF is designed to launch an embedded object, likely a second-stage payload. The presence of JavaScript actions and an embedded JS stream further supports this, suggesting the script is responsible for the download and execution. The file's purpose is to act as a dropper for further malicious activity.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4872

Heuristics 5

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment. (matched in decompressed stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0037.bin
30d5632ef75e81aa6a48eae64f2155acc39e64f6367a5c6152e8ec74b44ac6de		 pdf-embedded-file PDF EmbeddedFile object 37 at offset 0x36DAD 20040 bytes
stream_022_off0003aee0.bin
1f13146812c2fb9994c753ce93617aa374318e16d721aeb2b6d73a1391118df4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AEE0 1248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.