Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb5d7e81efeb9e8c…

MALICIOUS

PDF

123.6 KB Created: 2011-08-29 16:15:54 +02:00 Authoring application: Adobe LiveCycle Designer ES 9.0 (via Adobe LiveCycle Forms 8.2) First seen: 2026-05-08
MD5: 52302e5d4a680243f4a85ea753877869 SHA-1: 282ca5e4b066ba556cd1dfe53c60b4468bc72413 SHA-256: cb5d7e81efeb9e8c10721a1b41468bebf88470b463e4653a13077703126591ce
90 Risk Score

🔏 Digital signature Modified after signing

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, with one particularly large stream (stream_009_off00006cdf.js) identified as a suspicious extracted artifact. The presence of PDF_JAVASCRIPT and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics indicates that these scripts are likely designed to execute malicious code. The primary function appears to be downloading and executing a second-stage payload from a remote source, which is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9587

Heuristics 9

  • Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATION
    An incremental update appended AFTER the signed byte range introduces active content (/AA, /EmbeddedFile, /Catalog). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.formulaires.modernisation.gouv.fr/gf/enligne.do?userSkippedMSP=true Referenced by PDF JavaScript
    • https://www.formulaires.modernisation.gouv.fr/gf/horsligne.do?userSkippedMSP=trueReferenced by PDF JavaScript
    • http://www.adobe.com/products/acrobat/readstep2.htmlIn PDF document text
    • http://www.adobe.com/go/reader_downloadIn PDF document text
    • http://www.adobe.com/go/acrreaderIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
    • http://www.adobe.com/supporIn PDF document text
    • http://www.adobe.com/go/acrIn PDF document text
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/data-description/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0063.bin pdf-embedded-file PDF EmbeddedFile object 63 at offset 0x17333 85 bytes
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb
embedded_file_obj0064.bin pdf-embedded-file PDF EmbeddedFile object 64 at offset 0x173E6 500 bytes
SHA-256: d3c03718b781ff3375972a1ee89ea3511497fefde87aa1454767f37670146602
embedded_file_obj0088.bin pdf-embedded-file PDF EmbeddedFile object 88 at offset 0x1E971 861 bytes
SHA-256: 231ce3b5f42ff69ca0f66f322982d3a08030c8e2fc708d42f5877b8d19c894df
javascript_obj0021_000.js pdf-javascript-stream PDF /JS object 21 at offset 0x5CD3 1532 bytes
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8
Preview script
First 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.1)
{
   if (app.viewerType == "Reader")
   {
      if (ADBE.Reader_Value_Asked != true)
      {
         if (app.viewerVersion < 6.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_5x, 1, 1) == 1)
               this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
            ADBE.Reader_Value_Asked = true;
         }
         else if (app.viewerVersion < 7.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_601, 1, 1) == 1)
               app.findComponent({cType:"App", cName:"Reader7", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
            ADBE.Reader_Value_Asked = true;
         }
         else
         {
            if (app.alert(ADBE.Viewer_Form_string_Reader_6_7x, 1, 1) == 1)
               app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
            ADBE.Reader_Value_Asked = true;
         }
      }
   }
   else
   {
      if (ADBE.Viewer_Value_Asked != true)
      {
         if (app.viewerVersion < 7.0)
            app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
         ADBE.Viewer_Value_Asked = true;
      }
   }
}
javascript_obj0022_001.js pdf-javascript-stream PDF /JS object 22 at offset 0x5EBD 870 bytes
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
   ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
   ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 7.0)
{
   ADBE.Reader_Need_Version = 7.0;
   ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 7.0)
{
   ADBE.Viewer_Need_Version = 7.0;
   ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
javascript_obj0023_002.js pdf-javascript-stream PDF /JS object 23 at offset 0x6016 2795 bytes
SHA-256: 826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined")
   this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat";
ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update";
ADBE.Viewer_string_Update_Reader_Desc = "Adobe Reader 7.0.5";
ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Reader. Press OK to download the latest version or see your system administrator.";
ADBE.Viewer_Form_string_Reader_601 = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Reader_Older = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK for online download information or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_601 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_60 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. For more information please copy the following URL (CTRL+C on Win, Command-C on Mac) and paste into your browser or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_Older = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin.";
ADBE.Viewer_Form_string_Reader_5x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will open your browser to a web page where you can obtain the latest version.";
ADBE.Viewer_Form_string_Reader_6_7x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
ADBE.Viewer_Form_string_Viewer = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
stream_008_off00006397.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6397 7568 bytes
SHA-256: 764975ffc7bee33080147f409de6f25fa67287f6a2ac77bd638c2e68e87b3313
stream_009_off00006cdf.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6CDF 78101 bytes
SHA-256: d3b80419130d0ce77579d1f34355042bc71b4b87b0cd3a5544a780cb4a588629
Detection
ClamAV: No threats found
Obfuscation or payload: likely
280 of 689 identifiers look randomly generated (e.g. 'A000B000C000F001000110013001400160018001'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
stream_010_off0000b824.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB824 772 bytes
SHA-256: a6bdbc4531d057f90ecc908066dbb28f761975a399d15f1e397670cb6b997046
stream_011_off0000b9dc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB9DC 320 bytes
SHA-256: ca28174e864050c566429ba0b638afc23ca8172ca3f442b9d309687cfb4a35b1
stream_012_off0000bb09.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBB09 2876 bytes
SHA-256: 4a2a895acd59e8428051f67fd6844beb3e1bf56e84fd445e967ea94dba59f05a
stream_013_off0000be69.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBE69 17479 bytes
SHA-256: ba0062f3cfedb8ec5174e4a8bf6cda8c830cb983c6ac1ad787452c184ea93751
Detection
ClamAV: No threats found
Obfuscation or payload: likely
266 of 461 identifiers look randomly generated (e.g. 'EBAQEBAUEQ8RERERDxERFxoaGhcRHyEhISEfKy0t'); 5 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_015_off0000e30b.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE30B 8983 bytes
SHA-256: 6c6d19c5a4e1edd003e153936b336ca5c278a3ca12f82a39671360b93380a9b8
stream_016_off0000eb42.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEB42 1605 bytes
SHA-256: 07f0957be46390c366db6ab488d94c4e814d684f6e6664d98c5562e7d5f9cff2