Malicious PDF — malware analysis report

Static analysis result for SHA-256 73d584345330e722…

MALICIOUS

PDF

2.72 MB
MD5: 993117b5bc719a1095063f7abfac4d42 SHA-1: 350a87802bfb04a06e50a1bf323d5891ee3f4573 SHA-256: 73d584345330e7222a5172cf23d14a55792de8f977931e8c9d497cf318f113b3
198 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that utilizes the `exportDataObject` and `nLaunch` functions, indicating an intent to drop and automatically launch an embedded file. The embedded artifact is named 'nnn.doc', which is also referenced in the document body and the deobfuscated JavaScript. This dropper functionality is a common technique for delivering secondary payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 8

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Pdf.Dropper.Agent-7640984-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7640984-0
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
nnn.doc
953f99c26fb635c3295f78c6809ba3897050fa205f274d6af30d16ba6f97259c		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x56B 949756 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 80 long base64-like blob(s).
javascript_obj0009_000.js
28b4127ea8fa5e65232b0d0108def5281a3204354def709a00744297b2a88f37		 pdf-javascript-stream PDF /JS object 9 at offset 0x2B8092 56 bytes
javascript_obj0009_001.js
963ed45f988dbd45078acd836821e4c07e4ff29a40c2bbac3ba51e198c3b45e8		 pdf-javascript-stream PDF /JS object 9 at offset 0x2B8092 54 bytes
combined_document_js_000.js
75533713bc3c8f7156c75ac8c0807743561d0576be27ef326ea5936169827022		 deobfuscated-js combined document JavaScript streams at offset 0x2B8092 111 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.