Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a2b460aa04813d4…

MALICIOUS

PDF

615.8 KB Created: 2009-10-04 13:45:55 Authoring application: Scribus 1.3.5svn (via Scribus PDF Library 1.3.5svn)
MD5: 1cf33eb86e0ceb0aa08035e39cf18572 SHA-1: 583677814ab3c0e193c9c34fdb0eb9cbd06aeb04 SHA-256: 7a2b460aa04813d40d47505be4e3562600040d334cfe79f558848fadf1fb8e63
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that utilizes unescape() and String.fromCharCode functions, indicative of obfuscation and exploitation. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript is designed to download and execute a second-stage payload, as suggested by the exploit cluster heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9697

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.InsiderSoftware.com/fontlist/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • https://www.verisign.com/repository/CPS��
    • https://www.verisign.com
    • https://www.verisign.com/repository/verisignlogo.gif0��
    • https://www.verisign.com/CPS0b
    • http://www.microsoft.com/truetype/0
    • https://www.verisign.com/repository/RPA0
    • https://www.verisign.com/repository/verisignlogo.gif0�
    • https://www.verisign.com/CPS
    • https://www.verisign.com/repository/CPS

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0161_001.js
f36cf0f6e3d0f821f0824fcb724083a0778aa08e0309eee25f75c5862cfa8cf1		 pdf-javascript-stream PDF /JS object 161 at offset 0x4BFBB 13119 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
icc_00_off00042dd9.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x42DD9 3144 bytes
font_00_sfnt_off00004e2c.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E2C 62160 bytes
font_01_sfnt_off0000e282.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE282 71216 bytes
font_02_sfnt_off0001b2dd.bin
8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B2DD 11156 bytes
font_03_sfnt_off0001d28e.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D28E 37232 bytes
font_04_sfnt_off000240e5.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x240E5 46764 bytes
font_05_sfnt_off0002c960.bin
95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C960 22628 bytes
font_06_sfnt_off00038a0b.bin
6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38A0B 32640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.