PDF malware analysis — malicious · 8f4e3dd4c9d150d7

MALICIOUS

PDF

61.3 KB

MD5: dd7a03f4932cb86a77bd57b1c21fc18f SHA-1: f67c32d6e365ef1a7693dbbe3ac43d8090d56d50 SHA-256: 8f4e3dd4c9d150d7dc427201559681366261e6ba4bf2b0bfc8903a8056c22106

286 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.007 JavaScript/JScript

The PDF document contains embedded JavaScript and RichMedia (Flash) content, triggering critical heuristics for PDF JavaScript exploits and CVE-2011-0611. The embedded JavaScript appears to be a generic exploit stage designed to download and execute a second-stage payload. The presence of Flash and JavaScript exploits within a PDF indicates a delivery mechanism for further malicious activity.

Machine Learning

Nyx PDF Classifier malicious score 0.9963

Heuristics 11

Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.1/

Extracted artifacts 19

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`5.swf` `797559d3f1e4f62f7d7ec5a729b60c863e13118d22afb32eab08faf38dc7c87f`	pdf-embedded-file	PDF EmbeddedFile object 50 at offset 0x40C5	2809 bytes
`javascript_obj0029_000.js` `6b3dc5a0bc98a07d73c6206665688e07eb8f4d7e1f3b7b6c0b1102713f3b46a1`	pdf-javascript-stream	PDF /JS object 29 at offset 0xD18A	19788 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).
`javascript_obj0039_001.js` `79a847f48c29830c80cf0408c7505d8bd07472b58ec4ea49698a533638d7bb04`	pdf-javascript-stream	PDF /JS object 39 at offset 0x1E9B	5637 bytes
`javascript_obj0056_002.js` `2b0cb364300292a88607c7b04076629077f1b58bbf9fa93686a58f4ad62ef40b`	pdf-javascript-stream	PDF /JS object 56 at offset 0x32FA	1417 bytes
`stream_004_off0000088f.bin` `69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x88F	434 bytes
`generic_stage_recovery_000.js` `6960b096aac59e7442472e0745b8d29ba6efa5ca4889cfe8dbea6d50b3be5031`	deobfuscated-js	generic stage recovery marker-MM-to-%u from JavaScript object 29 at offset 0xD18A	19609 bytes
`generic_stage_recovery_001.js` `13beb9134db9895943c218ba573e5155cc9ca314651aa6de3eddc6e9494a2f69`	deobfuscated-js	generic stage recovery marker-MM-to-%u from JavaScript object 29 at offset 0xD18A	13130 bytes
`generic_stage_recovery_002.js` `e7d6d3d66aca14bcfb0903a0b15e0c1cc7636644ac458d3ef397a58f7afafe59`	deobfuscated-js	generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0xD18A	26665 bytes
`generic_stage_recovery_003.js` `cdcb6563040037a4cc1767e8aa71f699e025722f76489a289551bd2c078ad1af`	deobfuscated-js	generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0xD18A	20186 bytes
`generic_stage_recovery_004.js` `3ba64244b2b6b1c2ba5157dfb16ed66f8a46e9ce2b85a9f88be01dd28efd6412`	deobfuscated-js	generic stage recovery marker-AAAAA-to-%u from decompressed stream at 0xE51 at offset 0xE51	7789 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_005.js` `93522b2cf19db13aac26cb30efbe725e7f50d0c0d9c72950e2ec10073b744432`	deobfuscated-js	generic stage recovery marker-AA-to-%u from decompressed stream at 0xE51 at offset 0xE51	7821 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_006.js` `1e712ebe5edbaf8371bb08490c13f27a196e6404ba3ec69298268f127b801643`	deobfuscated-js	generic stage recovery marker-ffffffff-to-%u from decompressed stream at 0xE51 at offset 0xE51	2275 bytes
`generic_stage_recovery_007.js` `7a3e84e74468af182cc56d301a08b43c96c51fd1f0e434ed57bb0a0ec05510cf`	deobfuscated-js	generic stage recovery marker-AAAAA-to-%u from decompressed stream at 0x1663 at offset 0x1663	7808 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_008.js` `bb59b77437da40e7978965835b243176e71f6438bc83b2f308fc9e10fd1e5c70`	deobfuscated-js	generic stage recovery marker-AA-to-%u from decompressed stream at 0x1663 at offset 0x1663	7821 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_009.js` `16c81fbc824e4bb02335f44ef62d42b231db551557a138c810cb464362e1dcf6`	deobfuscated-js	generic stage recovery split-literal-normalize -> marker-MM-to-%u from JavaScript object 29 at offset 0xD18A	19516 bytes
`generic_stage_recovery_010.js` `98dbfc865fe8eada413afa492ebeb89166e0271c28cd660052b66f0aea8e3355`	deobfuscated-js	generic stage recovery split-literal-normalize -> marker-MM-to-%u from JavaScript object 29 at offset 0xD18A	13082 bytes
`generic_stage_recovery_011.js` `20b372c6dda5f0dc976a93552f89711f169a89e568efa72833e620a4755e1729`	deobfuscated-js	generic stage recovery marker-MM-to-%u -> split-literal-normalize from JavaScript object 29 at offset 0xD18A	19516 bytes
`font_00_sfnt_off00000e51.bin` `9520d1e3c26c38a7d8e0587578a21196782149e3c5f4b565229deafde3ff3a35`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE51	8429 bytes
`font_01_sfnt_off00001663.bin` `18f2d21f655a09be0df9f6bfb4b539e43160f5a64a3e1b2dd7a4c8a5a185a5d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1663	8429 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.