Malicious PDF — malware analysis report

Static analysis result for SHA-256 af02872a750aea02…

MALICIOUS

PDF

174.9 KB Created: 2008-08-19 23:58:52 -08:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.0)
MD5: 1a7e7dec83eda289eb3f4505ff875267 SHA-1: 099d4ed88b3fbc1df6ed026cb6b9592feb029965 SHA-256: af02872a750aea02ce6246bb3bf52723f37b09f39e3f1ee37dd68efaf3835c74
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript, particularly the generic stage recovery script, suggests an attempt to download and execute further malicious content. While the exact payload and delivery mechanism are not fully discernible due to potential obfuscation and incomplete ClamAV scans on extracted artifacts, the core functionality appears to be exploit-driven JavaScript execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 10

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, or hex literals. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • ClamAV scan did not complete on extracted artifact info CLAMAV_SCAN_INCOMPLETE
    ClamAV did not complete on 2 carved artifact(s); EXTRACTED_FILE_CLAMAV may be missing for this run. The result is not cached so a later submission will retry the scan.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
11848956bd6eff969a9dc530a904c5dd2df3209e67f2dbb81289353d6f9922df		 pdf-javascript-stream PDF /JS object 32 at offset 0x7E0 3943 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
50f11fba37d1c149c4ada290b84e54201c40e2c12c4698b7f2b3aad8b7656d76		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 32 at offset 0x7E0 3749 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.