Malicious PDF — malware analysis report

Static analysis result for SHA-256 84e07ccb2249a6f7…

MALICIOUS

PDF

5.86 MB Authoring application: substr
MD5: fb99085d8ed7464e7a6253f4ca3a960a SHA-1: 439f4ddaa72106049ebbf5cd9a58b9a0e9625fb4 SHA-256: 84e07ccb2249a6f7e21689cdfdbc518b3250e2d92819506d8c7f2cbb2e9c21b9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits multiple heuristic firings related to embedded JavaScript and suspicious static findings within an embedded secondary PDF. The presence of JavaScript actions and embedded JS streams strongly suggests an attempt to execute malicious code. While no specific URLs or scripts were directly readable, the overall structure indicates a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.0157

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
19d105ce645920f83174c87e1c3f529f4f5b97cb89ae18049b811e1804605b06		 pdf-javascript-stream PDF /JS object 1 at offset 0x3D2CC 489 bytes
stream_011_off0000d5da.bin
4953ce955d2ee88454f031cbaf183613f0c08bb02217da919121249b3c8ba3d5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD5DA 87216 bytes
stream_012_off00018a45.bin
c259cd8843785784a9c8c9396881ab6921d228cb5ee7c633ccf3f26e66337773		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18A45 86596 bytes
stream_022_off000605d7.bin
b85f5e73461e5e1af229ac957ed71f61201a0b5a277dea3c354ace88eec1b0e6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x605D7 26204 bytes
stream_050_off000efe03.bin
3e62a4e7ba9c65e4eb20e694d4f1373782baed9738e7a11e68b3bf34c00158d4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEFE03 188106 bytes
stream_051_off000fab32.bin
050fea696be88d2ecfac9982d9ee7b13f0317b2fc46d2a88b8b6b0a81a9c5757		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFAB32 181686 bytes
stream_088_off0019a24c.bin
c24fc71523a4c386b5296eb738de580a7a071becd3671ad55774653ec945923b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19A24C 717410 bytes
stream_098_off00217138.bin
afdeeb3bc942fafb314a4597f70cfa968c28c403b177e1ef0bc8251487700d06		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x217138 717410 bytes
stream_100_off0023f763.bin
344a52ca3c3d94db69820d1fe6fca7be8615fc4bfc98286f7f9626f1bc729e60		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23F763 717410 bytes
icc_00_off000056ef.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x56EF 3144 bytes
font_02_sfnt_off00024041.bin
1244cd04269ccf37b81a170b81d5d783eb3aa1a8954d869ca047c3a7a3197549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24041 77248 bytes
font_03_sfnt_off0002e068.bin
5d35a50bf545034b2fbe001e72dc3cffcc7f3b4d82e685906a64e53c49500b80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E068 60280 bytes
font_04_sfnt_off0007dd16.bin
b58c33098c25cfa616608de1d68e4c666e1d0a001e6aa4bb2862a047d059df83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DD16 17543 bytes
font_05_cff_off000b9f5c.bin
8e982609fb7f7dd147e0b2f7fdc1277574016fb2da027f754409e1ed8b003265		 pdf-font-stream PDF embedded font (cff) at offset 0xB9F5C 4471 bytes
polyglot_child_pdf_off00034e2a.pdf
d7b0737efebe5209609e4b166bf570917201cde53ca5fae560e8e6a974fef845		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x34E2A 5927382 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.