Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e69dcba8e81b48e…

MALICIOUS

PDF

62.0 KB Created: 15.03.2007, 16:36 Authoring application: Acrobat PDFMaker 7.0 für Word (via Adobe Acrobat 7.08)
MD5: 44317ca0b74ebafa2d9731412629d830 SHA-1: a4e663deb32ec0cc714ab77f8fb1f25386c3d3a0 SHA-256: 6e69dcba8e81b48ea7e8636de5c24cd772c49161c264744dccb107d1560a6d08
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF sample contains embedded JavaScript streams, with one stream exhibiting significant obfuscation and triggering critical heuristics related to JavaScript exploits and eval() calls. The ML classifier also flagged the PDF as malicious. The JavaScript likely attempts to exploit a PDF viewer vulnerability to execute arbitrary code, potentially downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9365

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0356_000.js
b7665eed4e3cab2ec530502a042eb10baf03022cca8c327d23c0d570e0e0dfff		 pdf-javascript-stream PDF /JS object 356 at offset 0x62D1 43 bytes
javascript_obj0291_009.js
304f7da264248a9d86b4a847105b99c160857eccd02f5dfe8a723cb65a79c4ed		 pdf-javascript-stream PDF /JS object 291 at offset 0xC88 10808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.