PDF malware analysis — malicious · 8ef6aea0ea9f60aa

MALICIOUS

PDF

69.3 KB Authoring application: Crystal Reports (via Powered By Crystal)

MD5: bd4df5968df3727322e71cb64a5cf9d2 SHA-1: 4cd1cd43e91f3c22e481005c8505cfde9599aa40 SHA-256: 8ef6aea0ea9f60aa01485909a2148d74914f90bf2eb408c1e1f89aaf1f1affce

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains an embedded JavaScript stream and multiple embedded files, as indicated by the PDF_JS and PDF_EMBEDDED heuristics. The ML classifier also flagged this PDF as malicious. These components suggest the document is designed to execute malicious code or download further payloads. The specific intent of the embedded scripts and files could not be fully determined due to obfuscation or truncation, but the presence of these elements strongly indicates a malicious delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.7205

Heuristics 4

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0049.bin` `f594fc906b5cc249901bc4dbec5ea4e465df820c83fa5bca12c3640fe1c530a8`	pdf-embedded-file	PDF EmbeddedFile object 49 at offset 0xD9C5	30234 bytes
`embedded_file_obj0047.bin` `d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777`	pdf-embedded-file	PDF EmbeddedFile object 47 at offset 0x10BD1	84 bytes
`embedded_file_obj0048.bin` `24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0`	pdf-embedded-file	PDF EmbeddedFile object 48 at offset 0x10C83	228 bytes
`embedded_file_obj0050.bin` `c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460`	pdf-embedded-file	PDF EmbeddedFile object 50 at offset 0x10D74	199 bytes
`embedded_file_obj0051.bin` `846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7`	pdf-embedded-file	PDF EmbeddedFile object 51 at offset 0x10E65	119 bytes
`embedded_file_obj0052.bin` `e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876`	pdf-embedded-file	PDF EmbeddedFile object 52 at offset 0x10F1D	77 bytes
`embedded_file_obj0053.bin` `92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a`	pdf-embedded-file	PDF EmbeddedFile object 53 at offset 0x10FC4	56 bytes
`stream_002_off00000c8e.bin` `abad6f91eafdb0e083580077f31cb616896fd8ea7751010400f0df402685eed0`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC8E	34056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.