PDF malware analysis — malicious · a56ad212adab0274

MALICIOUS

PDF

61.0 KB Created: 2007-06-12 14:11:32 -04:00 Authoring application: OmniForm Premium (via APJavaScript 2.2.1 Windows SPDF_1112 Oct 3 2005) First seen: 2026-05-09

MD5: a84ec9d87a0f717a7128ebbad8c1bf7f SHA-1: 8d361b28f4d7d6f756a2c26c88409bf6d5bf89b7 SHA-256: a56ad212adab027428feb773c35ec2c43a8eaeda96bc2aedf4dbc6c090f6c2ce

66 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript T1559.001 Component Object Model

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The ML classifier also flagged this PDF with high confidence. While the document body mentions 'document rights' and 'Adobe Reader', the presence of JavaScript suggests an intent beyond legitimate form filling, likely to execute malicious code or redirect the user. No specific malware family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9630

Heuristics 6

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON

Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
Matched line in script
```
    if (ans == 1)
        this.getURL("http://www.adobe.com/acrobat", false);
}
```
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.adobe.com/acrobat Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/pdfx/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0134_000.js pdf-javascript-stream PDF /JS object 134 at offset 0x4384 808 bytes

Filename	Kind	Source	Size
`javascript_obj0134_000.js`	pdf-javascript-stream	PDF /JS object 134 at offset 0x4384	808 bytes
SHA-256: `6ec6509be655ad55d7f043dd30a57424b3e40e0dcc056cf0d9c53cf4255c07fb`
Preview script First 1,000 lines of the extracted script /Ubiquity/ var needsUpdate = 0; if (app.viewerType == "Exchange" && app.viewerVariation=="Fill-In") needsUpdate = 1; else if (app.viewerType == "Reader") { if (app.viewerVersion >= 5.1) needsUpdate = 0; else needsUpdate = 1; } if (needsUpdate) { var ans = app.alert("This document requires one of the following\nin order to be used as the author intended:\n\n - Acrobat Reader 5.1 or later\n - Acrobat 5.0.5 or later\n - Acrobat Approval 5.0.5 or later\n\nYou are viewing this document with an earlier\nversion of one of these products. As a result,\nsome features\nof the document will not operate.\n\nClick OK to go on-line and obtain the latest version\nof the free Adobe Reader.\n", 1, 1); if (ans == 1) this.getURL("http://www.adobe.com/acrobat", false); }

SHA-256: 6ec6509be655ad55d7f043dd30a57424b3e40e0dcc056cf0d9c53cf4255c07fb

Preview script

First 1,000 lines of the extracted script

/*Ubiquity*/
var needsUpdate = 0;
if (app.viewerType == "Exchange" && app.viewerVariation=="Fill-In")
    needsUpdate = 1;
else if (app.viewerType == "Reader")
{
    if (app.viewerVersion >= 5.1)
        needsUpdate = 0;
    else
        needsUpdate = 1;
}
if (needsUpdate)
{
    var ans = app.alert("This document requires one of the following\nin order to be used as the author intended:\n\n - Acrobat Reader 5.1 or later\n - Acrobat 5.0.5 or later\n - Acrobat Approval 5.0.5 or later\n\nYou are viewing this document with an earlier\nversion of one of these products.  As a result,\nsome features\nof the document will not operate.\n\nClick OK to go on-line and obtain the latest version\nof the free Adobe Reader.\n", 1, 1);
    if (ans == 1)
        this.getURL("http://www.adobe.com/acrobat", false);
}

Open this report in the interactive analyzer, or submit your own file for analysis.