Malicious PDF — malware analysis report

Static analysis result for SHA-256 725a8848f95fbafd…

MALICIOUS

PDF

4.11 MB Created: 2002-12-12 17:43:47 -07:00 Authoring application: Adobe Illustrator 10.0 (via Adobe PDF library 5.00)
MD5: 185f17839a4d1d8f863867b6cd6778dd SHA-1: 493b0d93ccfe79951bffc62dadd7f11edd382915 SHA-256: 725a8848f95fbafd4d85e451075804f917d40a74572ca819452f45a2f3aaa0a2
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and an embedded Windows executable payload, indicating it is designed to deliver malware. The ML classifier strongly flags this PDF as malicious. The presence of JavaScript suggests an attempt to exploit vulnerabilities or download further malicious content. The embedded executable is the primary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9932

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
    • http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
    • http://search-network-plus.com/load.php?a=a&st=Internet
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://www.mozilla.org/MPL/
    • http://schemas.xmlsoap.org/soap/envelope/
    • http://www.w3.org/2001/XMLSchema-instance
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.xmlsoap.org/soap/encoding/
    • http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
    • http://news.bbc.co.uk/go/rss/-/2/hi/americas/8540282.stm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#_35
    • https://pfs.mozilla.org/plugins/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_00042000.exe
76c80d3472faaed0c2e4b3d467390a6dc7314a5cc6805b2124dee864e5318f2c		 embedded-pe PDF raw stream PE payload at offset 0x42000 617948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.