Malicious PDF — malware analysis report

Static analysis result for SHA-256 801327f5bc977c9d…

MALICIOUS

PDF

125.2 KB Authoring application: Python PDF Library 055 http072057057pybrary056net057pyPdf057
MD5: 27fe0fc8b44ec4b21e9b7eec155a0476 SHA-1: 77b45822203871e58837fce283489c16a4e3b392 SHA-256: 801327f5bc977c9da94ae3ea7d20d172f896c854ca1b9cb3789e9830c14d17c5
88 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript and RichMedia (Flash) content. The presence of an embedded SWF file named 'sploit.swf' further indicates a malicious intent, likely to exploit vulnerabilities within the PDF reader or the Flash player. The embedded URL, though confirmed benign, was present in the document text.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
sploit.swf
f20d4773036855e9105ee72056325a2e16f4eedb49cbf128a1bfe1e45cd69660		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x1D0B3 781 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.