Malicious PDF — malware analysis report

Static analysis result for SHA-256 7513ef81cd777a11…

MALICIOUS

PDF

25.8 KB
MD5: c311ce69fe0072bdb184106dd10c7ab0 SHA-1: 597ecd8cc6d7a3fd4ff587fae76a96eb2bc4820d SHA-256: 7513ef81cd777a1161c7bb9dae3acb414c41d71ca215c33f3440dd35d60ec360
256 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that utilizes the `exportDataObject` and `nLaunch` functions to automatically launch an embedded document named 'pdoc.doc'. Heuristics and ClamAV detection strongly indicate exploitation of CVE-2017-11882, a vulnerability in the Microsoft Office Equation Editor, which is commonly used to deliver second-stage payloads. The embedded artifact 'pdoc.doc' is also flagged by ClamAV with a signature related to this exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
pdoc.doc
0f2d8e35480cedfb9131461352e2c5f9ed3241f4832621ec54519c86c9dd0d9e		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x387 8344 bytes
Detection
ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0009_000.js
ad331a213418b29bab99ee2b1c7f19d5f6a516a4211d51b85f67bee91f948c8c		 pdf-javascript-stream PDF /JS object 9 at offset 0x6586 57 bytes
javascript_obj0009_001.js
cad53703893c9eac8f9d19f47ee65ff1998b329a725eb2992661f7f472b4a4bc		 pdf-javascript-stream PDF /JS object 9 at offset 0x6586 55 bytes
combined_document_js_000.js
58d51a49deb53d6f2598cf4466696299951807d54ca36f93822f60c45057e034		 deobfuscated-js combined document JavaScript streams at offset 0x6586 113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.