Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b5d4c5cc11e6de4…

MALICIOUS

PDF

464.0 KB Created: 2010-03-16 14:56:25 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: c93e8ef6b0011e0d19f01f11c10bba76 SHA-1: e1f98dd5cf8128a908e795ed680128289430889a SHA-256: 7b5d4c5cc11e6de451778a41a0e6079d1734b78139075b5cee776f5b82125f06
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF document contains JavaScript actions and is identified as an XFA form, which are common vectors for exploiting PDF vulnerabilities. The ML classifier strongly indicates maliciousness. While no specific URLs are confirmed malicious, the presence of JavaScript and embedded files suggests the document is designed to execute code and potentially download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xci/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.7/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.6/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://crl.verisign.com/tss-ca.crl0In PDF document text
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • https://www.verisign.com/rpa01In PDF document text
    • http://crl.verisign.com/pca3.crl0In PDF document text
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In PDF document text
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
444d6d82bf278239c586a47ac22b38bc52ef0567885d34677b63697694199d94		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x50B 1587 bytes
embedded_file_obj0003.bin
b7a0d22ac75abe2687fb5f359888909250f2da2c07714300e3f996843b09f50d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x7FC 1131 bytes
embedded_file_obj0004.bin
f6828dd1c2c33f5f9b3d297876597a713abd12a8e3a8bcc14eda8a62895139c5		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xAB8 3023 bytes
embedded_file_obj0005.bin
cf065dc4fd2d15fa5738d48dc81edfceb1e16b432145bd109187b7245ff7b331		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xE49 1147 bytes
embedded_file_obj0058.bin
afc37dfd267afc85da413af5b7bc1e8f5d4bd93a706404932b8c311efda57b71		 pdf-embedded-file PDF EmbeddedFile object 58 at offset 0x73719 162 bytes
embedded_file_obj0059.bin
7cf53d1b73d36e3e106802f55ddf832413e6fd7f6cbb683494a84f88caad15b1		 pdf-embedded-file PDF EmbeddedFile object 59 at offset 0x7380C 263 bytes
embedded_file_obj0060.bin
f77000e4c9a6b068d110e6af56cf50936305ee7b5f276601453a62e51af75b6b		 pdf-embedded-file PDF EmbeddedFile object 60 at offset 0x7392F 1714 bytes
font_00_sfnt_off0000108f.bin
3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108F 36717 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.