Malicious PDF — malware analysis report

Static analysis result for SHA-256 acb4ac0144d9438c…

MALICIOUS

PDF

710.5 KB Created: 2006-04-13 14:44:54 -04:00 Authoring application: Adobe Designer 7.0
MD5: bbab3fd24ef733f172094c658859a136 SHA-1: 8f60eec734d6b284cced34fe52541c9a12e7ad42 SHA-256: acb4ac0144d9438cf0a52750f371a6937c40cc1eda293e3f2c6ae369e7292b9b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded JavaScript streams, indicating an attempt to execute malicious code upon opening. The ML classifier strongly suggests maliciousness. The presence of JavaScript actions and embedded files points towards a downloader or exploit delivery mechanism. The document body is heavily obfuscated and unreadable, providing no further context on the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8883

Heuristics 8

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj1921.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 1921 at offset 0x9F634 85 bytes
embedded_file_obj1922.bin
48346ec364eae4f82597557c8ee633d44dc3ead14d089d50c84db8890206a456		 pdf-embedded-file PDF EmbeddedFile object 1922 at offset 0x9F6E8 1406 bytes
embedded_file_obj1923.bin
bb956e1e9cef43350c01af0e8f2010ff0cb132654996ba0ec9ee4e91c470508a		 pdf-embedded-file PDF EmbeddedFile object 1923 at offset 0x9F993 326409 bytes
embedded_file_obj1924.bin
44fb8ebf9d29e8f0734a312b07edd7e559e406b9916e36200fab4e69ef3aed95		 pdf-embedded-file PDF EmbeddedFile object 1924 at offset 0xA70B9 5196 bytes
embedded_file_obj1925.bin
61642dc7cd003f413c4fa081fa3bbed91086d153eca3840f65c4fb2640556985		 pdf-embedded-file PDF EmbeddedFile object 1925 at offset 0xA71CF 724 bytes
embedded_file_obj1926.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 1926 at offset 0xA73B1 85 bytes
javascript_obj1913_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 1913 at offset 0x9EE9D 870 bytes
javascript_obj1915_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 1915 at offset 0x9F027 2794 bytes
javascript_obj1917_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 1917 at offset 0x9F31C 1528 bytes
stream_008_off00004b32.bin
3463cb6a96f307e7e3d7300dfb47d1a354c957c464dadd2539dcb8dc271d2635		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B32 293120 bytes
stream_010_off00030f61.bin
4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30F61 308015 bytes
font_00_cff_off00081cda.bin
23831e143e2e1a484b95ee765b15d94562c951468b895c080e655667dc04ddf0		 pdf-font-stream PDF embedded font (cff) at offset 0x81CDA 31178 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.