MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1204.002 Malicious File: User Execution
T1059 Command and Scripting Interpreter
T1059.005 Command and Scripting Interpreter: Visual Basic
The PDF contains embedded JavaScript that is likely responsible for downloading and executing a second-stage payload. The heuristic firings indicate a generic exploit stage recovery and a suspicious secondary embedded PDF, suggesting a multi-stage attack. The extracted JavaScript files and embedded PDFs are the primary indicators of compromise.
Machine Learning
- Nyx PDF Classifier clean score 0.0691
Heuristics 4
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.adrift.org.uk/
- http://www.inform-fiction.org/
- http://www.namazu.org/
- http://www.djvuzone.org/
- http://cgi.adobe.com/special/acrobat/mediaplayerfinder/mediaplayerfinder.cgi
- http://www.geocities.com/nevilo/mod.htm
- http://www.lua.org/
- http://www.libpng.org/pub/mng/spec/
- http://hdf.ncsa.uiuc.edu/
- http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html
- http://www.macromedia.com/software/flash/open/
- http://cgi.adobe.com/special/acrobat/mediaplayerfinder/mediaplayerfinder.cgi?�6�-af�-�6�-
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
generic_stage_recovery_000.js120189d91737353b3f0034bece97c9c4550f8613c41e07b13424a736fce46fe5 |
deobfuscated-js | generic stage recovery null-collapse from decompressed stream at 0x0 at offset 0x0 | 198773 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 long base64-like blob(s).
|
|||
generic_stage_recovery_001.js5cdac2b6bda4d1af0f11a1790dbe956cbfcdd98748129d78d864bfd601d5d62e |
deobfuscated-js | generic stage recovery null-collapse from decompressed stream at 0x53CD at offset 0x53CD | 1147 bytes |
polyglot_child_pdf_off0000ab65.pdffc5063d5c35f0f76ff2368f2252611041b57a2db248585def99f4e4420858ee5 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0xAB65 | 258053 bytes |
polyglot_child_pdf_off000499c8.pdfe3ade5af26d4697e70bed5be08f1c666184a14aadad6f9c5fa5c96e2c0235ff4 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x499C8 | 418 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.