Malicious PDF — malware analysis report

Static analysis result for SHA-256 b53cdbc66083ee3d…

MALICIOUS

PDF

189.7 KB
MD5: 384f1adcfa67c1f646a6dd3695f16169 SHA-1: b53797ac4b856d5233041a2341b9f12924f85101 SHA-256: b53cdbc66083ee3da25f3b0f20d9dc2e7d266ab9049fb9a175ca716e77e0ea16
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript T1559.001 Component Object Model T1204.002 Malicious File

The PDF file contains embedded JavaScript and 3D content, triggering heuristics related to JavaScript execution and potential exploitation of PDF vulnerabilities (CVE-family). The presence of unescape() calls and ML classification further indicate malicious intent. The JavaScript is likely used to download and execute a second-stage payload, although the exact mechanism is obfuscated. The benign URLs present are likely decoys or standard PDF metadata.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5668

Heuristics 7

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off00008ab9.bin
8ef5cce30cc1cd83b6bce8c5b13c11b5ba5f96df474f0cef150eafd7f326d5db		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8AB9 2684 bytes
stream_018_off00019bca.bin
10ff09c466abd73cb5b22ad9da47c3067f965d1039a8c5819085ab96a5783327		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19BCA 490614 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
objstm_0020_00.bin
11acbba3369fb8499b0126439f42b6c62f601d616c90732b5538cc270d6063f6		 pdf-objstm-decoded PDF /ObjStm 20 0 obj (inflated) 4242 bytes
prc_00_off0000aa41.bin
c0e2a816bca4bd73da8930a4e65e1c31b374efe6fdd5e18696644cb7abe1f8e1		 pdf-3d-stream PDF PRC 3D stream at offset 0xAA41 61759 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.