Malicious PDF — malware analysis report

Static analysis result for SHA-256 da2c5e6ae24be79f…

MALICIOUS

PDF

44.7 KB Created: 2012-10-10 16:07:58 +04:00 Authoring application: Adobe Designer 7.0
MD5: d969e502e6213ed8995fddb2ce188ef0 SHA-1: 18318b36b0aa9a240784e112ca308cbdb8e72a1c SHA-256: da2c5e6ae24be79fce53b148b2d2daa36606c46d4ccca062a8174db898c1ca4c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF document contains multiple high-severity heuristic firings indicating malicious activity, including PDF_EVAL and PDF_XFA_SCRIPT. The ML classifier strongly flagged this PDF as malicious. The presence of embedded JavaScript streams, particularly stream_008_off00007835.js, suggests the execution of malicious code. This script likely downloads and executes a secondary payload, as indicated by the embedded_file_obj0044.bin artifact.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 8

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0042.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 42 at offset 0x7ADC 85 bytes
embedded_file_obj0043.bin
f20aceb8dbc16d07642c756ca1ccc141a87f1f44f1a99949a4c6a6a8678b4c98		 pdf-embedded-file PDF EmbeddedFile object 43 at offset 0x7B8E 1526 bytes
embedded_file_obj0044.bin
1183d8ed653c644fe9d4ab15b60d5561b92a8aee4430a3407a8f789d4302759f		 pdf-embedded-file PDF EmbeddedFile object 44 at offset 0x7E5E 5567 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_file_obj0045.bin
3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169		 pdf-embedded-file PDF EmbeddedFile object 45 at offset 0x89AA 144 bytes
embedded_file_obj0046.bin
851068169faaac8fcdfa72571a46fea924d1fb0c33b95225802028dfa0b1c7a7		 pdf-embedded-file PDF EmbeddedFile object 46 at offset 0x8A6D 4800 bytes
embedded_file_obj0047.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 47 at offset 0x8F09 212 bytes
stream_006_off000073f0.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x73F0 870 bytes
stream_008_off00007835.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7835 1528 bytes
font_00_cff_off0000131d.bin
23831e143e2e1a484b95ee765b15d94562c951468b895c080e655667dc04ddf0		 pdf-font-stream PDF embedded font (cff) at offset 0x131D 31178 bytes
font_01_cff_off0000906e.bin
b3745fe60ed2b79d33047feb5a279123a26860f718ffc20e4c32f3c7de61af42		 pdf-font-stream PDF embedded font (cff) at offset 0x906E 3875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.