Malicious PDF — malware analysis report

Static analysis result for SHA-256 706317593217b4f1…

MALICIOUS

PDF

982.8 KB Created: 2007-04-16 09:27:52 +02:00 Authoring application: PDFPublishing (via Adobe Acrobat 3D Toolkit 4.1.0.0)
MD5: 78ca848870d99ed1b2f991aa2413479a SHA-1: 1000ca3afebb987249a0630d0c3d1232f7facc45 SHA-256: 706317593217b4f11fe70c5a0a6f065d52b1de7042ce708e5256fa35a5b0d637
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages XFA forms and calls to eval() and unescape() functions, indicating an attempt to exploit vulnerabilities. The script constructs a URL, 'http://cgi.adobe.com/special/acrobat/update', which is likely used to download a second-stage payload. The presence of U3D content and multiple embedded files further supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 16

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfmachine.com
    • http://www.broadgun.com)Tj
    • http://pdfmachine.com
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.your.domain.com
    • http://purl.org/dc/elements/1.1/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-template/2.2/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xfdf/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x50794 85 bytes
embedded_file_obj0009.bin
ce75a85ad744dc6bd3f985f71c092883b743463972eff168ee9ffb2336c4b0c8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x50845 1333 bytes
embedded_file_obj0010.bin
34947838c6ff704a8af99b706b5a0d69774d4b8df3f1ab25c0f1afe9ac8be76b		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x50AC7 66943 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
embedded_file_obj0011.bin
5f46a4aa50bf20cf566ff569220627bd3d337eb0f82d34eb699337756ad09c73		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x5ADBB 2262 bytes
embedded_file_obj0012.bin
e45851fdfd997f7b3eae0f62d6f4820fe7801f3abb9b20f7bb34e90c22f8e732		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x5B09E 142 bytes
embedded_file_obj0013.bin
64c0bb66f310529eab132369c19856140bcd190d2ce069d57343c3caa9ac2709		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x5B164 724 bytes
embedded_file_obj0014.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x5B344 85 bytes
disclaimer.pdf
890cb280c647c2743048717ed8c46eb42225594f115f08c85db53169c8ea46b5		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x5B4F3 10232 bytes
21130-412.stp
9cce24d3fe7fc9c6f7399977fd365cff72bb77442091942b3670cebac5c6867f		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x66941 3682481 bytes
21130-412.pdf
4c7271b958fc04074332151a3feb36f69acbc670e62e7f7188965acb812b8b10		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0xDEA28 30542 bytes
21130-412.dxf
12af1d15d99a6b379d3ba042908e0d364a9704823920d1a86b0d2d860c18cf4b		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0xE5E73 306603 bytes
21130-412.dwg
2427425ea38aa507a14f0c6471f4b298d89acf65636a40b2010a204a91b57acd		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0xEC6F3 90506 bytes
javascript_obj0032_000.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 32 at offset 0x958 1528 bytes
javascript_obj0033_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 33 at offset 0xB3C 870 bytes
javascript_obj0034_002.js
c2d25683b87f35b2c97fd55b4b4d3fb2c8e428989cc7f8de755a12031e1ce557		 pdf-javascript-stream PDF /JS object 34 at offset 0xC91 3843 bytes
javascript_obj0077_003.js
d141bf166de2b1dedd670b890c6789bc305514dcd544f95b9a1da817f392c336		 pdf-javascript-stream PDF /JS object 77 at offset 0x4ECE6 28084 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long hex-escaped blob(s).
font_00_cff_off00006a08.bin
28345a751bc247acbf8155171a43d69e366aa8df344a8a0a8a8304436513e01c		 pdf-font-stream PDF embedded font (cff) at offset 0x6A08 66185 bytes
font_01_cff_off00011e7c.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x11E7C 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
u3d_00_off00024614.bin
fdd72b001b86f117c59b7d98ac0a2a58f5a252696284a2dec1f6ad77796f01e3		 pdf-3d-stream PDF U3D 3D stream at offset 0x24614 323148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.