Malicious PDF — malware analysis report

Static analysis result for SHA-256 b89dd631537f143c…

MALICIOUS

PDF

6.47 MB
MD5: 84bccfefe51cecebef33cbfaa0b82642 SHA-1: 5310d4b55546e0e5aff10e4c03149bbf17831aea SHA-256: b89dd631537f143c3f59eeae1665d1cb3cb77a33a580df1df1484ec20877eae9
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains JavaScript that utilizes the exportDataObject and nLaunch functions, indicating an attempt to automatically launch an embedded file upon opening. The embedded file is named 'test.doc'. This behavior is characteristic of a dropper or exploit delivery mechanism within a PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
test.doc
b572c0ef43dd6c8e6fda9cdba2adb7ab8dfe074981d62d582d8457ae3f96c7f9		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5D2 2260513 bytes
javascript_obj0009_000.js
f4202c85a4cb93d4b82b9bb0b4ea5e174d56cb4c465226dabd1c563690942529		 pdf-javascript-stream PDF /JS object 9 at offset 0x677E41 57 bytes
javascript_obj0009_001.js
b8cebed679e527f70945c094cd6d1a6534ebe9b43e42651bc56cefb684263b2d		 pdf-javascript-stream PDF /JS object 9 at offset 0x677E41 55 bytes
combined_document_js_000.js
e60daab43579d25aff483960fbdbd97820f26c372a72ad34ceb3140ad2331d93		 deobfuscated-js combined document JavaScript streams at offset 0x677E41 113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.