Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d94b089ac5b92c1…

MALICIOUS

PDF

4.31 MB
MD5: 45cdd688968d339db6bfd195dfd03b4c SHA-1: 9dcd82bd8dec05de6f300c850fd715fe5cf3f1dd SHA-256: 8d94b089ac5b92c12a6327d3d850e65aa78aa73d470f262d07540ac9ce4928d5
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that utilizes the `exportDataObject` and `nLaunch` functions to automatically launch an embedded file named 'test.doc'. This is a common dropper technique used to execute malicious payloads. The ML classifier strongly indicates maliciousness, and the embedded file launch is a critical finding.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 5

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
test.doc
b572c0ef43dd6c8e6fda9cdba2adb7ab8dfe074981d62d582d8457ae3f96c7f9		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x55C 2260513 bytes
javascript_obj0009_000.js
f4202c85a4cb93d4b82b9bb0b4ea5e174d56cb4c465226dabd1c563690942529		 pdf-javascript-stream PDF /JS object 9 at offset 0x4501B6 57 bytes
javascript_obj0009_001.js
b8cebed679e527f70945c094cd6d1a6534ebe9b43e42651bc56cefb684263b2d		 pdf-javascript-stream PDF /JS object 9 at offset 0x4501B6 55 bytes
combined_document_js_000.js
e60daab43579d25aff483960fbdbd97820f26c372a72ad34ceb3140ad2331d93		 deobfuscated-js combined document JavaScript streams at offset 0x4501B6 113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.