Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a20b7dd8f309030…

MALICIOUS

PDF

1.95 MB Created: –+jÜqŠì¸YÍ%_¥p­ÂóY¬¡ Authoring application: ,îX»AÀÜæi‹”: (via ,îX£AÂÜêi‘(”.Ÿ_ª›:·iù† ThKÀ÷•Y³ÊJcù)
MD5: be251f54373de8ba29281b66c10544e9 SHA-1: 58d3c0bcbb836fe5b652644b9391329953ae7c17 SHA-256: 7a20b7dd8f309030f89dba00b4b3d69d2c322e944cc979f3acbed1f95d7350e3
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, which is used to obscure content and likely download and execute a second-stage payload. The ML classifier strongly indicates maliciousness. While the embedded URLs are not directly malicious, they are present within the document's structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comhttp://www.monotype.com/html/type/license.html
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATION

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
9850dc3f8665ab7981898a05fdefb8ac5b0b7fc28317c3f0ad9daf0d51570a4e		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 4096 bytes
font_00_sfnt_off00002f74.bin
908558b3049b2238526428de267b64a615dae2c05cc345d6a900f44e80a17bee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F74 24488 bytes
javascript_obj0012_000.js
af01d4356abf60bf3be8ebd0d5aaa5482cbd9d13fc0c4ed2b0f648a33467ba74		 pdf-javascript-stream PDF /JS object 12 at offset 0x35F0 5150 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.