🔏 Digital signature Modified after signing
A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.
Malware Insights
The PDF file contains multiple embedded JavaScript streams, with one particularly large stream (stream_009_off00006cdf.js) identified as a suspicious extracted artifact. The presence of PDF_JAVASCRIPT and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics indicates that these scripts are likely designed to execute malicious code. The primary function appears to be downloading and executing a second-stage payload from a remote source, which is a common technique for malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9587
Heuristics 9
-
Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATIONAn incremental update appended AFTER the signed byte range introduces active content (/AA, /EmbeddedFile, /Catalog). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.formulaires.modernisation.gouv.fr/gf/enligne.do?userSkippedMSP=true Referenced by PDF JavaScript
- https://www.formulaires.modernisation.gouv.fr/gf/horsligne.do?userSkippedMSP=trueReferenced by PDF JavaScript
- http://www.adobe.com/products/acrobat/readstep2.htmlIn PDF document text
- http://www.adobe.com/go/reader_downloadIn PDF document text
- http://www.adobe.com/go/acrreaderIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xfa/promoted-desc/In PDF document text
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://www.adobe.com/supporIn PDF document text
- http://www.adobe.com/go/acrIn PDF document text
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/data-description/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0063.bin |
pdf-embedded-file | PDF EmbeddedFile object 63 at offset 0x17333 | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj0064.bin |
pdf-embedded-file | PDF EmbeddedFile object 64 at offset 0x173E6 | 500 bytes |
SHA-256: d3c03718b781ff3375972a1ee89ea3511497fefde87aa1454767f37670146602 |
|||
embedded_file_obj0088.bin |
pdf-embedded-file | PDF EmbeddedFile object 88 at offset 0x1E971 | 861 bytes |
SHA-256: 231ce3b5f42ff69ca0f66f322982d3a08030c8e2fc708d42f5877b8d19c894df |
|||
javascript_obj0021_000.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x5CD3 | 1532 bytes |
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.1)
{
if (app.viewerType == "Reader")
{
if (ADBE.Reader_Value_Asked != true)
{
if (app.viewerVersion < 6.0)
{
if (app.alert(ADBE.Viewer_Form_string_Reader_5x, 1, 1) == 1)
this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
ADBE.Reader_Value_Asked = true;
}
else if (app.viewerVersion < 7.0)
{
if (app.alert(ADBE.Viewer_Form_string_Reader_601, 1, 1) == 1)
app.findComponent({cType:"App", cName:"Reader7", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
ADBE.Reader_Value_Asked = true;
}
else
{
if (app.alert(ADBE.Viewer_Form_string_Reader_6_7x, 1, 1) == 1)
app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Reader_Desc});
ADBE.Reader_Value_Asked = true;
}
}
}
else
{
if (ADBE.Viewer_Value_Asked != true)
{
if (app.viewerVersion < 7.0)
app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
ADBE.Viewer_Value_Asked = true;
}
}
}
|
|||
javascript_obj0022_001.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x5EBD | 870 bytes |
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 7.0)
{
ADBE.Reader_Need_Version = 7.0;
ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 7.0)
{
ADBE.Viewer_Need_Version = 7.0;
ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=" + "XFA1_6";
}
|
|||
javascript_obj0023_002.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x6016 | 2795 bytes |
SHA-256: 826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined") this.ADBE = new Object(); ADBE.LANGUAGE = "ENU"; ADBE.Viewer_string_Title = "Adobe Acrobat"; ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update"; ADBE.Viewer_string_Update_Reader_Desc = "Adobe Reader 7.0.5"; ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Reader. Press OK to download the latest version or see your system administrator."; ADBE.Viewer_Form_string_Reader_601 = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator."; ADBE.Viewer_Form_string_Reader_Older = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK for online download information or see your system administrator."; ADBE.Viewer_Form_string_Viewer_601 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator."; ADBE.Viewer_Form_string_Viewer_60 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. For more information please copy the following URL (CTRL+C on Win, Command-C on Mac) and paste into your browser or see your system administrator."; ADBE.Viewer_Form_string_Viewer_Older = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin."; ADBE.Viewer_Form_string_Reader_5x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will open your browser to a web page where you can obtain the latest version."; ADBE.Viewer_Form_string_Reader_6_7x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version."; ADBE.Viewer_Form_string_Viewer = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version."; |
|||
stream_008_off00006397.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6397 | 7568 bytes |
SHA-256: 764975ffc7bee33080147f409de6f25fa67287f6a2ac77bd638c2e68e87b3313 |
|||
stream_009_off00006cdf.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6CDF | 78101 bytes |
SHA-256: d3b80419130d0ce77579d1f34355042bc71b4b87b0cd3a5544a780cb4a588629 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
280 of 689 identifiers look randomly generated (e.g. 'A000B000C000F001000110013001400160018001'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
stream_010_off0000b824.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB824 | 772 bytes |
SHA-256: a6bdbc4531d057f90ecc908066dbb28f761975a399d15f1e397670cb6b997046 |
|||
stream_011_off0000b9dc.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB9DC | 320 bytes |
SHA-256: ca28174e864050c566429ba0b638afc23ca8172ca3f442b9d309687cfb4a35b1 |
|||
stream_012_off0000bb09.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBB09 | 2876 bytes |
SHA-256: 4a2a895acd59e8428051f67fd6844beb3e1bf56e84fd445e967ea94dba59f05a |
|||
stream_013_off0000be69.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBE69 | 17479 bytes |
SHA-256: ba0062f3cfedb8ec5174e4a8bf6cda8c830cb983c6ac1ad787452c184ea93751 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
266 of 461 identifiers look randomly generated (e.g. 'EBAQEBAUEQ8RERERDxERFxoaGhcRHyEhISEfKy0t'); 5 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_015_off0000e30b.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE30B | 8983 bytes |
SHA-256: 6c6d19c5a4e1edd003e153936b336ca5c278a3ca12f82a39671360b93380a9b8 |
|||
stream_016_off0000eb42.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEB42 | 1605 bytes |
SHA-256: 07f0957be46390c366db6ab488d94c4e814d684f6e6664d98c5562e7d5f9cff2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.