Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2ca0a25a10cf74c…

MALICIOUS

PDF

736.0 KB Created: 2010-11-02 14:47:21 -04:00 Authoring application: Adobe LiveCycle Designer 8.0
MD5: bf350c67d24fc40e46e15a002e03d17c SHA-1: 5b2cece0728d0b03713b89907c692c08603c9b21 SHA-256: a2ca0a25a10cf74cf625d2ab15142970edec9c714e39f482a008be2c7bb0d08b
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains multiple embedded JavaScript streams and is flagged by ML classifiers as malicious. The presence of 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics indicates that the document is designed to execute code. The ML classifier output of 0.992574 strongly suggests malicious intent. The embedded JavaScript, specifically 'stream_008_off00085c18.js', is likely responsible for downloading and executing a secondary payload, which is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0060.bin
c41be430478d36c15cd01842cc720b0d2e60b9744423622df1d62389a716129d		 pdf-embedded-file PDF EmbeddedFile object 60 at offset 0xB7722 451 bytes
embedded_file_obj0061.bin
4f8b6817065bb3f7e0d0b8f7ce965819244264345b5c6d3313c1dec81c776aaa		 pdf-embedded-file PDF EmbeddedFile object 61 at offset 0xB784E 162 bytes
javascript_obj0039_000.js
40d207bd33ef19f74e77d6e0bc9aa193e7355fc39dc66f9669dd2d0a8de76db6		 pdf-javascript-stream PDF /JS object 39 at offset 0xB6E5C 1383 bytes
javascript_obj0040_001.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 pdf-javascript-stream PDF /JS object 40 at offset 0xB7042 902 bytes
javascript_obj0041_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 41 at offset 0xB719C 2798 bytes
stream_004_off000109aa.bin
a0f5b5f69a88877ffaa1733f0e0bbf9b4b3eef82f4ff804c724870cecea228d2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x109AA 409252 bytes
stream_006_off0004bd6d.bin
3865d93c0c2166362b36dcedd4241f4d13e97beb2582d99741eb0ef72770f9b8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BD6D 398350 bytes
stream_007_off000857c6.js
25c929e77b4e8b46e2ff068717c8b2579abd3a5c6faf3d8948bcea6976f1ceff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x857C6 2914 bytes
stream_008_off00085c18.js
42fae2955a1f3485f5e64b1501df53561dfb0dd17c54abe613a7ddf91da14386		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x85C18 319034 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
stream_009_off000b2e68.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB2E68 2423 bytes
stream_010_off000b3136.bin
8100fd7bbdadfe35e936b115d51a32365d85aa2f5fd0322db8e9458d7e8eb9b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB3136 1131 bytes
font_00_sfnt_off000009df.bin
058d11642e857508126df5662db2c7af4bdc1892e73eea6fc33f2605a1fc3c20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DF 94875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.