MALICIOUS
138
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript and an embedded OLE object named 'mmm.doc'. The JavaScript actions and the embedded file suggest an attempt to deliver a malicious payload. The document body text is minimal and appears to be boilerplate related to the embedded object, not providing a clear lure. The presence of the embedded 'mmm.doc' file is the primary indicator of a potential secondary stage.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPERPDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml Referenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
mmm.doc |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x560 | 434683 bytes |
SHA-256: ccad64df15ccbe6b69e361bed7e56e04206ac3c60873ecab47dc15ed7d79ec83 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
788 of 2141 identifiers look randomly generated (e.g. 'ffffffffffffffffffffffffffffffffffffffff'); 25 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 79 long base64-like blob(s).
|
|||
javascript_obj0009_000.js |
pdf-javascript-stream | PDF /JS object 9 at offset 0xD496E | 56 bytes |
SHA-256: ed061ab592112ad55c254b426dafc2c2db9e4e9f33450d4021a0931f6c615736 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.exportDataObject({ cName: "mmm.doc", nLaunch: 2 });
|
|||
javascript_obj0009_001.js |
pdf-javascript-stream | PDF /JS object 9 at offset 0xD496E | 54 bytes |
SHA-256: b56c9a59f94f394983ab8fcf586f9c2e9f3c597311aba4461690252a02524028 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.exportDataObject({ cName: "mmm.doc", nLaunch: 2 }
|
|||
combined_document_js_000.js |
deobfuscated-js | combined document JavaScript streams at offset 0xD496E | 111 bytes |
SHA-256: 7dc1569570614bd5a97c47dd05a4740a26b8540426fbe6acd7775b0472c03a5a |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.exportDataObject({ cName: "mmm.doc", nLaunch: 2 });
this.exportDataObject({ cName: "mmm.doc", nLaunch: 2 }
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.