Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6a54ebbe880fade…

MALICIOUS

PDF

51.1 KB
MD5: 17119030ebef995e765b334bb9b91ee3 SHA-1: 6b519ddc181f30c0465e5dc5fa9325d9a6f77567 SHA-256: d6a54ebbe880fadec0153f15839e876e96e808f5883006388c4507efa2793267
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript that triggers an external URI redirect. The ML classifier strongly indicates maliciousness. The embedded JavaScript is responsible for opening the external URL, which is a common technique for phishing or delivering further malicious content. The PDF structure suggests an image-only lure, typical for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 51 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.dynaforms.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000c7ef.js
f184302132c8d25d38644ea521a9e2663ef1980a48cdccba7c9471baefad0ba9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC7EF 1945 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.