Malicious PDF — malware analysis report

Static analysis result for SHA-256 b580a7f9ca8cad6b…

MALICIOUS

PDF

138.6 KB Authoring application: Python PDF Library 055 http072057057pybrary056net057pyPdf057
MD5: ea113fe002af6e6b3d67c08b9b669876 SHA-1: 9eeebda158f73382bb9526fea1b65b57e06acb46 SHA-256: b580a7f9ca8cad6bb657160f7d89f5fbba799e781e38bb7cf12782689634a0e3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

This PDF contains embedded JavaScript and a RichMedia (Flash) object, indicating an attempt to exploit vulnerabilities. A secondary embedded PDF was also detected, which itself contains suspicious static findings including JavaScript, embedded files, and RichMedia. This suggests a multi-stage attack where the initial PDF serves as a dropper for the secondary PDF, likely to execute further malicious code or download additional payloads. The presence of these elements strongly points towards a malicious intent, likely for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
pushpro.swf
5e8b92090afc1d9f8b703028aa20e64debf63c74b6db09f92633790c303e679f		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0xB4F 772 bytes
polyglot_child_pdf_off000211eb.pdf
792fa1dbdc5b734b2a0b33bbf882d15c727a29c4f23671fb6c2a54c6eb0952b9		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x211EB 6297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.