Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbe7770f27ce1a45…

MALICIOUS

PDF

222.2 KB Created: 2010-05-07 18:48:03 +02:00 First seen: 2026-05-10
MD5: 6a3089133de118e15b9a453d0369c563 SHA-1: 952a488b999d809db02e2c4f47432b414a3b7ce5 SHA-256: dbe7770f27ce1a45d9967e12673402eccef01b77de8033061431b0c6ad5ba7f4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded JavaScript that triggers a SubmitForm action, which in turn attempts to navigate to a Google search URL. This suggests a social engineering attempt to direct the user to a specific search result, potentially as a prelude to further malicious activity. The embedded JavaScript and SubmitForm action are key indicators of this behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8359

Heuristics 8

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com/[5/7/2010 In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.google.com/search?q=Tchaikovsky&ct=tchaikovsky10-hp&oi=ddleReferenced by PDF JavaScript
    • http://www.google.com/search)/FS/URLReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
malware.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 107 at offset 0x10DEA; filter decode failed 157957 bytes
SHA-256: 00f4c88d126c86398279178cff240bea37a96b7539e5638762936107e4fc2a08
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
stream_000_off00000060.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x60 7109 bytes
SHA-256: 59bd7d034efc9caeeff55702df9cb2e409eeb637c1926b388fcb99f3fde8855f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).