Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7f6c4de3884655b…

MALICIOUS

PDF

185.7 KB Created: 2024-03-06 08:18:13 -05:00 Authoring application: Designer 6.5 (via 3.0.32 (5.1.19)) First seen: 2026-06-10
MD5: f4b713d916d2daef51c72dc49d06471a SHA-1: 88cec7cee5af4587db6e075e54f9d07726ef4c5b SHA-256: e7f6c4de3884655bed126fb836a50fcb879bade4e56ebf293bf520dda829a2e0
66 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.1795

Heuristics 5

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cgi.adobe.com/special/acrobat/update Referenced by PDF JavaScript

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0121_000.js pdf-javascript-stream PDF /JS object 121 at offset 0xDFB9 1197 bytes
SHA-256: 812f8446cf1b6187844f5e7116cf921ee6da6407961ebe4e7ee52c843d7af754
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined")
   this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat DC";
ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update";
ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Acrobat Reader DC. Press OK to download the latest version or see your system administrator.";
ADBE.Viewer_string_Need_New_Version_Msg_Old = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin.";
ADBE.Viewer_string_Need_New_Version_Msg = "This PDF form requires a newer version of Adobe Acrobat DC. Without a newer version, the form may display, but may not work properly. Some form elements might not be visible at all. Click OK for more information on obtaining the latest version of Adobe Acrobat Reader DC.";
ADBE.Viewer_string_Need_New_Version_Msg_Updater = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may display, but may not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
javascript_obj0122_001.js pdf-javascript-stream PDF /JS object 122 at offset 0xE1D6 902 bytes
SHA-256: e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
   ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
   ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 9.0)
{
   ADBE.Reader_Need_Version = 9.0;
   ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Reader_Need_Version;
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 9.0)
{
   ADBE.Viewer_Need_Version = 9.0;
   ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Viewer_Need_Version;
}
javascript_obj0123_002.js pdf-javascript-stream PDF /JS object 123 at offset 0xE331 1363 bytes
SHA-256: 529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f
Preview script
First 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.8)
{
   if (app.viewerType == "Reader")
   {
      if (ADBE.Reader_Value_Asked != true)
      {
         if (app.viewerVersion < 9.0)
         {
            if (app.alert(ADBE.Reader_string_Need_New_Version_Msg, 1, 1) == 1)
               this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
            ADBE.Reader_Value_Asked = true;
         }
         else if (app.alert(ADBE.Viewer_string_Need_New_Version_Msg_Updater, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cVer:"2.8"});
      }
   }
   else
   {
      if (ADBE.Viewer_Value_Asked != true)
      {
         if (app.viewerVersion < 7.0)
            app.response({cQuestion: ADBE.Viewer_string_Need_New_Version_Msg_Old, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
		   else if (app.viewerVersion < 9.0)
         {
            if (app.alert(ADBE.Viewer_string_Need_New_Version_Msg, 1, 1) == 1)
               app.launchURL(ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, true);
         }
         else if (app.alert(ADBE.Viewer_string_Need_New_Version_Msg_Updater, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cVer:"2.8"});
         ADBE.Viewer_Value_Asked = true;
      }
   }
}
font_00_cff_off00023872.bin pdf-font-stream PDF embedded font (cff) at offset 0x23872 5675 bytes
SHA-256: e66c939a81f8c9e7598f5e60c3e8da98458e028e8d780e52aa2c66ee561f0c9e
font_01_cff_off00024b80.bin pdf-font-stream PDF embedded font (cff) at offset 0x24B80 711 bytes
SHA-256: 3d33962dd4a6f22f01a79a59d7e354946f3449ee44f842901289bf69d34f7b68
font_02_cff_off00024e70.bin pdf-font-stream PDF embedded font (cff) at offset 0x24E70 2346 bytes
SHA-256: 41a220c501cf7e8d1d0c247c4da7eaeba0b02d349cb41836f8e76fe05cd7dd84
font_03_cff_off00025713.bin pdf-font-stream PDF embedded font (cff) at offset 0x25713 4956 bytes
SHA-256: ef9961b4010c7605363674aaacdfbee415bab66d697008cebbb1a9af57d8acfc
font_04_cff_off000267a5.bin pdf-font-stream PDF embedded font (cff) at offset 0x267A5 2523 bytes
SHA-256: fd3489fd63095cd02cf1fab683ff19c5c317fad0b9591682f1af7035af9475e2
font_05_cff_off000270c0.bin pdf-font-stream PDF embedded font (cff) at offset 0x270C0 4294 bytes
SHA-256: 706d3ec8f1c57c6e741897a6d8d58fb9d49284507bc8fdad1320ec8f96eceb91

Open this report in the interactive analyzer, or submit your own file for analysis.