Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ecf547d7281cdf2…

MALICIOUS

PDF

384.8 KB Created: 2002-01-14 15:29:52 Authoring application: 30-Day Exemption Form.doc - Microsoft Word (via Acrobat PDFWriter 4.05 for Windows NT)
MD5: 0db2b04bf3b0b6c5116e3bf89be3e767 SHA-1: 4d0c717e36e8f50eb329250c2c340005deaa08e2 SHA-256: 9ecf547d7281cdf2a61e419f1336eae1afbadfc3a91f8781e154f0a358965685
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/Shell Scripting: JavaScript

The PDF file contains embedded JavaScript streams and triggers associated with PDF exploits. The ML classifier also flagged this PDF as malicious. While the JavaScript content is minimal and obfuscated, its presence within a PDF, combined with exploit-related heuristics, strongly suggests an attempt to leverage vulnerabilities. No specific family could be identified due to the limited script content and lack of network indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6008

Heuristics 6

  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0061_002.js
93e3e5723abfa92ea946fda13f0c68dfce45965861eae54c1f2105030d35139f		 pdf-javascript-stream PDF /JS object 61 at offset 0x49AC 42 bytes
javascript_obj0062_003.js
630b2fbbb501893a46e0e881f95411eb201c055c7baf5bee1bf1fbb7f474722c		 pdf-javascript-stream PDF /JS object 62 at offset 0x4A07 39 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.