Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c1a99435da5e1ed…

MALICIOUS

PDF

711.6 KB
MD5: 07db0d8094078d7323ffb5c6400ead37 SHA-1: 37e4cde75c4665f87ca5819ace562e54f1aaa1c4 SHA-256: 7c1a99435da5e1ed5a6dc667215e50b94a6b10673b57ae7f064d76e8542d46dd
294 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that leverages the exportDataObject and nLaunch functions to automatically extract and execute an embedded executable file named RFQ_4155965-Order_EU2406.exe. This is a common technique for delivering malware disguised as a document. The embedded file was detected by ClamAV as Win.Trojan.Autoit-10032689-0.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 7

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ClamAV: Win.Trojan.Autoit-10032689-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Autoit-10032689-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
RFQ_4155965-Order_EU2406.uue
697774af60f11d033be716cf4982a605d5c5ffa658f42df73235ee26514c949f		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5DD 727320 bytes
Detection
ClamAV: Win.Trojan.Autoit-10032689-0
Obfuscation or payload: unlikely
javascript_obj0009_000.js
d867af0ce76060dad66cab337b30df8b795dddd7c8f465dbe5ec2604c502cd71		 pdf-javascript-stream PDF /JS object 9 at offset 0xB1C93 77 bytes
javascript_obj0009_001.js
379ba817f0ce5a75b7ac318dd63c7833a4c78a9373c744351a1a2b091e3e2a0f		 pdf-javascript-stream PDF /JS object 9 at offset 0xB1C93 75 bytes
hidden_pdf_zip_off000005e4.zip
9cabf607ffc7c3682aec0aa7eb4a1d05485bb97014741cc45f7bcdfae4aad491		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x5E4 726680 bytes
combined_document_js_000.js
55056b027a00fdeba777c5f7cda845566a39018b69bbfb4442d37ed5ddf66aaf		 deobfuscated-js combined document JavaScript streams at offset 0xB1C93 153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.