Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf3c380995aa6474…

MALICIOUS

PDF

1.1 KB
MD5: 2090f8d4d083ea7b56fad13d1ae661a1 SHA-1: d910c4a81122c360fe57f67a04999425a65249db SHA-256: cf3c380995aa6474896503d1b79d01aad19f02a83b7c0d0e6c2e599abb52508e
188 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF contains embedded JavaScript that utilizes the 'this.exportDataObject' API, indicating an attempt to drop or execute a file. This action is paired with a '/Launch' action targeting the URL http://sophostest.com/callhome/index.html. The combination suggests the PDF is designed to exploit vulnerabilities or trick the user into downloading and running a malicious payload from the specified URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: http://sophostest.com/callhome/index.html high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sophostest.com/callhome/index.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0942_000.js
312a06ff939a49ae68e3ce5260b914890997c0bf3e247a3f1185ac3f9fe3c916		 pdf-javascript-stream PDF /JS object 942 at offset 0x309 57 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.