Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd5fe9a3f0bd067c…

MALICIOUS

PDF

4.9 KB Created: 2011-04-05 23:46:28 Authoring application: bub lob
MD5: 02c78b7e1f25178e30ef7c7102f2ea08 SHA-1: 875a9dedbefe709139def3e933c5d0518f5d3707 SHA-256: bd5fe9a3f0bd067cc0c31777ebebc572a3d9df7e1f54c4d5b79c5a6df14d1aff
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains an embedded JavaScript file, which is a common technique for delivering secondary payloads. The presence of PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic further supports this. The JavaScript file itself is the primary IOC. The exact intent of the script could not be fully determined due to its size and potential obfuscation, but it is highly likely to be a downloader.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000331.js
04c504e7bd370504c7e06a584ea5d12655f5b753405fcba99eece82d13c0f528		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x331 13524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.