Malicious PDF — malware analysis report

Static analysis result for SHA-256 70fb2037fd2a235d…

MALICIOUS

PDF

129.5 KB Created: ôEÓØ(Î õÅ`Y=—'ŠY(ª|ÙYéFkÊÐü҈ƹÌxKN§ÀjŸØæ·Ý Authoring application: v-ÐÂÉÍhÔIjy%a@Î`•á‰ç9–EÏûZèc:KE—ÑŒõ¨u4s•øj (via T¿šçÙ#ÑU8(ÑÙl¡f‰ƒ‰>¨m*ڌPùFSágÁ£ÚnmzÈ b ¨ò0ˆ’K)
MD5: 9240f9cc32164d333699aa913b255d73 SHA-1: 824e2c433cf850290986c6aa3e848f988a8f4831 SHA-256: 70fb2037fd2a235d0c2b75d70cf9545f6d01a9cc42742fbdac4d9bb52f3a0894
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file is encrypted and contains JavaScript actions, indicating an attempt to hide malicious content. The embedded JavaScript streams, particularly 'javascript_obj0138_016.js', contain form validation logic and string manipulation, suggesting it's designed to interact with the user and potentially download further content. The heuristics also indicate urgency and payment lures, consistent with phishing or scam attempts.

Machine Learning

  • Nyx PDF Classifier clean score 0.1679

Heuristics 9

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0137_015.js
6aa37557b3d4bd63b6d9f3b6c5371fc58bdd74cf1110fbcf20a3f459a686f255		 pdf-javascript-stream PDF /JS object 137 at offset 0xDB5E 6482 bytes
javascript_obj0138_016.js
0af94d0350111a52636f10247e5e40a735a80cf434ca2cf1f74d967cb3a1b8cf		 pdf-javascript-stream PDF /JS object 138 at offset 0xE3A5 32638 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0139_017.js
8593be3d45bfad31f9288b7eca32f6ec0251453a5e01eafd3d6f3c915736dce6		 pdf-javascript-stream PDF /JS object 139 at offset 0x1064C 3496 bytes
icc_00_off00012bca.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x12BCA 3144 bytes
font_00_cff_off00014ed9.bin
767e65b786e4b18d7453a0eb533ef58f3a9f60d98f53e4afa280c074b896dc16		 pdf-font-stream PDF embedded font (cff) at offset 0x14ED9 5465 bytes
font_01_cff_off00015eb6.bin
aced473380a926292515a0f7b7b30a371ebd004af4f7e7cc54ca23deda5be916		 pdf-font-stream PDF embedded font (cff) at offset 0x15EB6 6173 bytes
font_02_cff_off0001723a.bin
112c99e080ee1fa226f2ef0fade8a63e6352c98bb89d4577971cff8fa8054843		 pdf-font-stream PDF embedded font (cff) at offset 0x1723A 2057 bytes
font_03_cff_off00017980.bin
9616922ec2cbc1402a450f24a37b19316f2040923c3957c3057c1fbff8311db6		 pdf-font-stream PDF embedded font (cff) at offset 0x17980 1455 bytes
font_04_cff_off00017f20.bin
1a9291865438452f47302b46c715e012a4aa9a2df6892aef1f58b1e773c6f939		 pdf-font-stream PDF embedded font (cff) at offset 0x17F20 4514 bytes
font_05_cff_off0001c4a1.bin
835e9bf5a628e196df1ab415fd52dcbadf981d91bea01d527d3554a44b3c3e7b		 pdf-font-stream PDF embedded font (cff) at offset 0x1C4A1 2303 bytes
font_06_cff_off0001cc22.bin
4b18ce892332988175a5ece228a5c1b92c20f0d4313942f5082de739a19aa91d		 pdf-font-stream PDF embedded font (cff) at offset 0x1CC22 1008 bytes
javascript_obj0148_000.js
95bd9a79fb64c0ff2463bf59dd087a478b9b52c25e00acd3743cabae93680da3		 pdf-javascript-stream PDF /JS object 148 at offset 0x1DF2E 32 bytes
javascript_obj0149_001.js
be97a4e837e1c7f5b5a19500bf748f8b58bf2eaf64a1afcf12d0707a94fc88fe		 pdf-javascript-stream PDF /JS object 149 at offset 0x1DF7A 48 bytes
javascript_obj0152_002.js
1255717d1da6ebc594b389f1a89f857828c0bab268f95fcb271a744418d64dfa		 pdf-javascript-stream PDF /JS object 152 at offset 0x1E4CF 32 bytes
javascript_obj0153_003.js
f611353251604f955fca8ae151347ecf874cee126ad1989a71963276e3a760eb		 pdf-javascript-stream PDF /JS object 153 at offset 0x1E51B 32 bytes
javascript_obj0154_004.js
42fa6ddf83bcdb879449612e7a7a25ac06d386790e102866a44cebba6cb40f82		 pdf-javascript-stream PDF /JS object 154 at offset 0x1E566 48 bytes
javascript_obj0155_005.js
71284b0a715c692953fc5853a315a345726b355c4584072527b88de021e4625b		 pdf-javascript-stream PDF /JS object 155 at offset 0x1E5C1 32 bytes
javascript_obj0156_006.js
434fe96e46286789ccc898cf6ba352ffc2d5741b30ec41388130b201a8833aea		 pdf-javascript-stream PDF /JS object 156 at offset 0x1E60E 32 bytes
javascript_obj0157_007.js
addedc86b495fd244207d46006e73aa27565ef80de92745c55a30c9c65e23ab7		 pdf-javascript-stream PDF /JS object 157 at offset 0x1E659 48 bytes
javascript_obj0158_008.js
80fabb351328444213eff31ffb2daf6c3344480590031db3cc2164181b80ad43		 pdf-javascript-stream PDF /JS object 158 at offset 0x1E6B5 48 bytes
javascript_obj0159_009.js
b2f1a70eca0f57e823f2843c7c48484f5a1ea354dedc77c498155e46a1bd5216		 pdf-javascript-stream PDF /JS object 159 at offset 0x1E711 32 bytes
javascript_obj0160_010.js
41bcf1cb1a76b6924d38ee0478c5b1ba52b6a6b5a80eb340436c7b92bed84e41		 pdf-javascript-stream PDF /JS object 160 at offset 0x1E75C 32 bytes
javascript_obj0161_011.js
b9bad6d83fa9db1cb5230f30f6d09bb6514b77bb9f02d3d0221cd9781c3ff873		 pdf-javascript-stream PDF /JS object 161 at offset 0x1E7A8 48 bytes
javascript_obj0162_012.js
21a5a54051c7469b27eb331f105e3e4adfa398aeb6d2666b3a3dd1468ff948c5		 pdf-javascript-stream PDF /JS object 162 at offset 0x1E803 48 bytes
javascript_obj0163_013.js
824881e944549b5ecbe9d08c8672ce4557942462dd82b7adc92d9e05f0564bf8		 pdf-javascript-stream PDF /JS object 163 at offset 0x1E85F 48 bytes
javascript_obj0164_014.js
cfe912087d64e605cffd8f12c368317307f9a97631fddc45c5697dca1df8119f		 pdf-javascript-stream PDF /JS object 164 at offset 0x1E8BA 48 bytes
javascript_obj0165_015.js
5cbc9cbcd0b86ca9a1fa78955a894ed8f0a2895954af930a494ca800b952fb46		 pdf-javascript-stream PDF /JS object 165 at offset 0x1E916 48 bytes
javascript_obj0166_016.js
7fe1e51e63ae4abcf2cd427df850ae163521ed7ba6dc45f2b7c48d4333c03d79		 pdf-javascript-stream PDF /JS object 166 at offset 0x1E972 48 bytes
javascript_obj0167_017.js
259ada4b97baa75322138d54cc2162219177e64ca45d24260a3f9a06e062eefc		 pdf-javascript-stream PDF /JS object 167 at offset 0x1E9CD 32 bytes
javascript_obj0168_018.js
91033029e25c38586ade3f88c88fb91cefcc407d3451d1ef792e8676fc94e742		 pdf-javascript-stream PDF /JS object 168 at offset 0x1EA19 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.