Malicious PDF — malware analysis report

Static analysis result for SHA-256 86d5282dc652671a…

MALICIOUS

PDF

44.1 KB Created: 2004-08-20 09:44:52 UTC Authoring application: LaTeX with hyperref package (via Acrobat Distiller 7.0 (Windows))
MD5: 0bdde02e7d4bf962b3675d810f4db514 SHA-1: cffb130f9cd5ff016eba6003d4cae8dc7513c952 SHA-256: 86d5282dc652671a01b3d70d40c8e6b203711df3c33624f9a5f7a5bcd06dc11f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF contains multiple embedded JavaScript streams and triggers, including a high-confidence eval() call. The ML classifier also flagged this PDF as malicious. The JavaScript is likely used to download and execute a second-stage payload, although the exact functionality is obfuscated. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7371

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0022_000.js
85b3935a953d6a580b2213bba416d2c7250d3c90c7824d2d31ce8065b33ffc98		 pdf-javascript-stream PDF /JS object 22 at offset 0xE58 122 bytes
javascript_obj0025_001.js
c5820df00314b47f5600fefcb0f748d35e270d5a2dfad8a6f6eb08c7a29dcc74		 pdf-javascript-stream PDF /JS object 25 at offset 0x121B 104 bytes
javascript_obj0028_002.js
89b061b51b34e3451427b505b520579972ebe625ee4897dfe2157ba5a39f2000		 pdf-javascript-stream PDF /JS object 28 at offset 0x15C4 106 bytes
javascript_obj0031_003.js
559cffda8e265254dc4be3d6ad3e577056eae45398a27d1fa6394c7f5d722917		 pdf-javascript-stream PDF /JS object 31 at offset 0x1973 121 bytes
javascript_obj0034_004.js
b735dbdd46b852eb6b708240e2fc5bc7c9d32ca0589ab8032f03deeb99337e4d		 pdf-javascript-stream PDF /JS object 34 at offset 0x1D31 113 bytes
javascript_obj0037_005.js
284c32a3774213e5b0a259e376c3be32fa7ee1936e19b3ac0ca865e7c47d47dc		 pdf-javascript-stream PDF /JS object 37 at offset 0x20FC 119 bytes
javascript_obj0040_006.js
9ba53b2a9bfa729913f2955a52c72829e9466628b17af0af01ad69530cb85c8a		 pdf-javascript-stream PDF /JS object 40 at offset 0x24B6 119 bytes
javascript_obj0050_008.js
017428b37fbadd276ebb2dbf23f362c21c1a9ed1317cbafe8fd1d21b8b5c3570		 pdf-javascript-stream PDF /JS object 50 at offset 0x32E7 187 bytes
javascript_obj0055_009.js
35b89b74530bd9b46e20e3d7685a27f5968d3cfed66a4e5554ac9c846f3f23e8		 pdf-javascript-stream PDF /JS object 55 at offset 0x38F9 114 bytes
javascript_obj0020_010.js
6c6606351cfd90d182337510fde8cd000beb8ecd40c7943c21bedd13772deb07		 pdf-javascript-stream PDF /JS object 20 at offset 0x93C 2672 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
icc_00_off00004b43.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4B43 3144 bytes
font_00_cff_off000057eb.bin
8006a7de0fd178339ca87dfe34efdefaf9883c4e3ae9c03d85f4ed698187279e		 pdf-font-stream PDF embedded font (cff) at offset 0x57EB 3125 bytes
font_01_cff_off00006690.bin
830c16934e4aff8e9c0738a208a30fb9f03107434fda42172a95f683e5c8df5c		 pdf-font-stream PDF embedded font (cff) at offset 0x6690 4515 bytes
font_02_cff_off0000780c.bin
f28ee66e81cddb528d1c4804e6fee1d274d779e5c34d1bf0905e4038fe74b580		 pdf-font-stream PDF embedded font (cff) at offset 0x780C 928 bytes
font_03_cff_off00007e90.bin
53dbddaa0259a3bf79475585efde3c21829ff3328f2be8562c6251b6488a103b		 pdf-font-stream PDF embedded font (cff) at offset 0x7E90 3130 bytes
font_04_cff_off00008d09.bin
e696e6f7f908e469e745c0b98b552573f159f1fc1c800b55a0d0c1838224dc59		 pdf-font-stream PDF embedded font (cff) at offset 0x8D09 4556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.