Malicious PDF — malware analysis report

Static analysis result for SHA-256 daef49d9a949fb60…

MALICIOUS

PDF

197.3 KB Created: 2008-06-16 17:49:50 -07:00 Authoring application: Adobe InDesign CS3 (5.0.2) (via Adobe PDF Library 8.0)
MD5: 1b7b5d3127cbb80d443e3fcb41f6c65e SHA-1: 15848442ca8c4ea96b376522439766f95c08e5bf SHA-256: daef49d9a949fb6037e240210bc30a02839d705de7aa48fd4406d7d84f61186c
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded JavaScript and XFA form elements, indicating an attempt to interact with the user. The document body, though partially garbled, contains text related to shipping addresses and payment details, suggesting a phishing lure. The presence of embedded scripts and XFA forms points towards a malicious document designed to collect sensitive information, likely for fraudulent purposes. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9334

Heuristics 5

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0023_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 23 at offset 0xB6F 1535 bytes
javascript_obj0024_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 24 at offset 0xD5A 870 bytes
javascript_obj0025_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 25 at offset 0xEB4 2798 bytes
stream_019_off00018d0f.bin
314ae8e208627184c71dcd561a67349c7c7f287bf546dff44169bc444c4f2f84		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18D0F 78173 bytes
embedded_pdf_script_00026d2f.bin
4442bbd0a2c133eea6b083bda5cd9bc6fcdb8d6961df4db4d72d2862203e5822		 pdf-embedded-script PDF raw stream script payload at offset 0x26D2F 3181 bytes
icc_00_off0000548c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x548C 3144 bytes
font_00_sfnt_off0000d027.bin
14258ee498c3834f29aa3a5edb6c7226d93870c5e9e9c63be3e73930910df4a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD027 43377 bytes
font_01_sfnt_off00012c41.bin
766a107d32d4d809ab3fe569fc368ab26642ce26c373f205133cab93f0d3ca1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C41 44871 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.