Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f99f0db4a4a1b87…

MALICIOUS

PDF

134.2 KB
MD5: 2a74df6b82e7bf2423ac370a62827c3c SHA-1: cbe216e79a413dd3512eb5dbfbca1af77da60a98 SHA-256: 8f99f0db4a4a1b876c30e6c82099525e6966e8e9109a69ba6381107d7bf7bbe8
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file exhibits multiple indicators of malicious activity, including embedded JavaScript and an embedded file. The ML classifier strongly suggests maliciousness. The embedded file, 'embedded_file_obj0003.bin', is a primary artifact of interest. The presence of JavaScript actions and embedded scripts points towards an attempt to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9195

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
c8a41472743d3d9fa27bd273882940194d1d7c41fccefa703955b9d4d1bf1581		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x58 1856 bytes
embedded_file_obj0003.bin
7a924b420a6a8fe6be5ab7968e1910bffed53b9f6c60e05db642a907d9be4fc6		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3BD 411001 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
embedded_file_obj0004.bin
0cc1acb568122b202bf53805b12af93620ac5985e50247b10a974e6e1d27ad41		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1AA62 2920 bytes
embedded_file_obj0007.bin
2ac6dae4fac82721331c9e44dc903d0c773402198ff52d5b347d79af636e20f1		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1ADDE 640 bytes
embedded_file_obj0008.bin
708184c3756f474163a7dc27c006d265992f62c1eabef6b340d7c91a4b8aeac8		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1AF5F 29525 bytes
embedded_file_obj0009.bin
642ebd21fa554fcf77fe3ed46ebeed5f4ee1777b99b4d17a848c825cbf9e4c0f		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x1BA61 1535 bytes
embedded_file_obj0010.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x1BD24 80 bytes
embedded_file_obj0056.bin
6fa3678fdee168a7a81fb992dc3a271bddcc1ae903903c1d80edfc762841b917		 pdf-embedded-file PDF EmbeddedFile object 56 at offset 0x1D6BE 162 bytes
embedded_file_obj0057.bin
b5be3c30d2880f83251f1ffa8b862765f3ccbc766901a061b331e157098c6658		 pdf-embedded-file PDF EmbeddedFile object 57 at offset 0x1D7B0 3189 bytes
embedded_file_obj0058.bin
d4a16b79da6bc8beb7b0e33cbbf09a9899d93ed09506f0501aeb84088487baee		 pdf-embedded-file PDF EmbeddedFile object 58 at offset 0x1DAC2 13902 bytes
stream_007_off0001ce3e.js
f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CE3E 1313 bytes
stream_008_off0001d01d.js
1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D01D 902 bytes
objstm_0060_00.bin
407b57f1135925ec116f51a8c9e91c0e98dc2fe589ae7c5f5c137b84c9686e04		 pdf-objstm-decoded PDF /ObjStm 60 0 obj (inflated) 7043 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.