Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f3ce2acf14bfd8a…

MALICIOUS

PDF

640.1 KB Created: 2010-01-25 09:26:27 +01:00 Authoring application: 127162, via PLOT 4.4.2.3 (via AFPL Ghostscript 8.54)
MD5: fd5ebdec704a72340cec09ac1b2b9130 SHA-1: f3224e7617ca2bbee8333bbad076125232a30da4 SHA-256: 7f3ce2acf14bfd8afadf1f7624bfdd913637f994b1dfb7b1ea672e86d7900143
124 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and an embedded PDF file, both of which are flagged as suspicious. The ML classifier strongly indicates maliciousness. The embedded JavaScript likely attempts to download and execute a second-stage payload, as suggested by the PDF_JAVASCRIPT and PDF_JS heuristics. The embedded PDF child also has suspicious static findings, indicating a multi-stage attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9644

Heuristics 7

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
5904104_DNV.pdf
038c52303012446c07c19558b9176fa7e8bdb5883d57755fe81f65eb201eddc5		 pdf-embedded-file PDF EmbeddedFile object 70 at offset 0x54D9D 235538 bytes
javascript_obj0073_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 73 at offset 0x9B207 1946 bytes
icc_00_off000021e8.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x21E8 3144 bytes
font_00_sfnt_off00004749.bin
f6d0b6ff4af9c18a0840d931766e72e9d509bec881d623f290d6adbb30288735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4749 25919 bytes
font_01_sfnt_off00007dec.bin
a6e5a3e32a5f55bad8416b17db6a9e1784ad79efa0ec6f1100294b45df89af75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DEC 24068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.