Malware Insights
The PDF file exhibits multiple indicators of suspicious activity, including embedded JavaScript streams and XFA forms. The presence of these elements, coupled with the 'PDF_JAVASCRIPT' and 'PDF_XFA' heuristic firings, indicates a potential for malicious code execution or exploitation. While the document body is unreadable, the structure suggests it may be a lure. The embedded JavaScript, though not fully analyzed due to its size, is likely responsible for delivering a secondary payload or exploiting a vulnerability. The benign reputation of the extracted URLs does not negate the suspicious nature of the embedded content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9978
Heuristics 9
-
PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODEDA declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.1/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0002.bin |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0x57 | 1475 bytes |
SHA-256: e1624aa7dd8a1e059831c1e54bfc8f287e72098aeb0373c67a017e36590a0c43 |
|||
embedded_file_obj0003.bin |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x315 | 1351 bytes |
SHA-256: 603e53b7b90bcbbb155e0d09a3fadfc09fee609995453dd22e90dc2ffc40c391 |
|||
embedded_file_obj0004.bin |
pdf-embedded-file | PDF EmbeddedFile object 4 at offset 0x606 | 3023 bytes |
SHA-256: 7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d |
|||
embedded_file_obj0005.bin |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x997 | 1147 bytes |
SHA-256: 481e893332602e1d39ae1c6001aff9976442abbb4f02e3f6cfd7a80f6ceec720 |
|||
embedded_file_obj0056.bin |
pdf-embedded-file | PDF EmbeddedFile object 56 at offset 0x72969 | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj0057.bin |
pdf-embedded-file | PDF EmbeddedFile object 57 at offset 0x72A1C | 212 bytes |
SHA-256: 966e122c41d06a1203d0878bc821a3e94856ad8064f9fc0137f293fa3aebf3c6 |
|||
embedded_file_obj0058.bin |
pdf-embedded-file | PDF EmbeddedFile object 58 at offset 0x72B21 | 1372 bytes |
SHA-256: 3dae9a4fa7af8d48a81be83aad61690cdee91bcd425e70342ab11668573f2018 |
|||
temp.jpg |
pdf-embedded-file-undecodable | PDF EmbeddedFile object 55 at offset 0xCF33; filter decode failed | 416221 bytes |
SHA-256: 192495bd1a4263fd7833267796ed7e28775fc62ca618e7e0b82c267855d051ed |
|||
javascript_obj0033_000.js |
pdf-javascript-stream | PDF /JS object 33 at offset 0x8703 | 1604 bytes |
SHA-256: f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 1.2)
{
if (app.viewerType == "Reader")
{
if (ADBE.Reader_Value_Asked != true)
{
if (app.viewerVersion < 6.01)
{
if (app.alert(ADBE.Viewer_Form_string_Reader_Older, 1, 1) == 1)
this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
}
else
{
if (app.alert(ADBE.Viewer_Form_string_Reader_601, 1, 1) == 1)
app.findComponent({cType:"Plugin", cName:"XFA",
cDesc: ADBE.Viewer_string_Update_Reader_Desc});
}
ADBE.Reader_Value_Asked = true;
}
}
else
{
if (ADBE.Viewer_Value_Asked != true)
{
if (app.viewerVersion == 6)
{
app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_60,
cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO,
cTitle: ADBE.Viewer_string_Title});
}
else if (app.viewerVersion < 6)
{
app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older,
cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO,
cTitle: ADBE.Viewer_string_Title});
}
else
{
if (app.alert(ADBE.Viewer_Form_string_Viewer_601, 1, 1) == 1)
app.findComponent({cType:"Plugin", cName:"XFA",
cDesc: ADBE.Viewer_string_Update_Desc});
}
ADBE.Viewer_Value_Asked = true;
}
}
}
|
|||
javascript_obj0034_001.js |
pdf-javascript-stream | PDF /JS object 34 at offset 0x88EE | 902 bytes |
SHA-256: 3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 6.01)
{
ADBE.Reader_Need_Version = 6.03
ADBE.Reader_Value_New_Version_URL =
"http://cgi.adobe.com/special/acrobat/update";
ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l="
+ app.language + "&c=" + app.viewerType + "&w=" + "XFA1_5";
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 6.01)
{
ADBE.Viewer_Need_Version = 6.03;
ADBE.Viewer_Value_New_Version_URL =
"http://cgi.adobe.com/special/acrobat/update";
ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l="
+ app.language + "&c=" + app.viewerType + "&w=" + "XFA1_5";
}
|
|||
javascript_obj0035_002.js |
pdf-javascript-stream | PDF /JS object 35 at offset 0x8A5B | 2844 bytes |
SHA-256: bb2fe1c0b366bd3a48235c04e822305ef3ab04e575e155f93e34004f56cc10ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
�� i f ( t y p e o f ( t h i s . A D B E ) = = " u n d e f i n e d " )
t h i s . A D B E = n e w O b j e c t ( ) ;
A D B E . L A N G U A G E = " E N U " ;
A D B E . V i e w e r _ s t r i n g _ T i t l e = " A d o b e A c r o b a t " ;
A D B E . V i e w e r _ s t r i n g _ U p d a t e _ D e s c = " A d o b e N�N��hSUf�e� " ;
A D B E . V i e w e r _ s t r i n g _ U p d a t e _ R e a d e r _ D e s c = " A d o b e R e a d e r 7 . 0 . 5 " ;
A D B E . R e a d e r _ s t r i n g _ N e e d _ N e w _ V e r s i o n _ M s g = "kd P D F e�N���lBf���rHg,v� A d o b e R e a d e r0 ��c xn[� geN �}g e�rHg,� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ R e a d e r _ 6 0 1 = "kd P D F �hSU��lBf���rHg,v� A d o b e R e a d e r0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 ��c xn[� T/R�W(~�f�e�� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ R e a d e r _ O l d e r = "kd P D F �hSU��lBf���rHg,v� A d o b e R e a d e r0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 c xn[� ��S�W(~�N �}O�`o� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ V i e w e r _ 6 0 1 = "kd P D F �hSU��lBf���rHg,v� A d o b e A c r o b a t0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 ��c xn[� T/R�W(~�f�e�� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ V i e w e r _ 6 0 = "kd P D F �hSU��lBf���rHg,v� A d o b e A c r o b a t0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 ��Y
R6N�N QW@� W i n d o w s� C T R L + C� M a c� C o m m a n d + C� � q6T |��4R0`�v�mO��VhN-N僷S�~�O�`o� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ V i e w e r _ O l d e r = "kd P D F �hSU��lBf���rHg,v� A d o b e A c r o b a t0 ��Y
R6�� QW@� q6T |�^ R0`�v�mO��VhN-� b �T|�`�v�|�~�{�t TX0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ R e a d e r _ 5 x = "kd P D F �hSU��lBf���rHg,v� A d o b e R e a d e r0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 Y�g� Q~�S�u(� ��SUQ� xn[� bS_ mO��Vh� ��c���SS�g e�rHg,v� Q�u0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ R e a d e r _ 6 _ 7 x = "kd P D F �hSU��lBf���rHg,v� A d o b e R e a d e r0 �}q6�hSUw �wgel�g �� OFg�N�QC} [��EN
e�l�kc^8bg�L� u ��e�l�f>y:0 Y�g� Q~�S�u(� ��SUQ� xn[� N �}^v[���g e�v�rHg,0 " ;
A D B E . V i e w e r _ F o r m _ s t r i n g _ V i e w e r = "kd P D F �hSU��lBf���rHg,v� A d o b e A c r o b a t0 Y�g�l�g f���v�rHg,� \={�kd�hSUS�N�f>y:� OFS��e�l�kc^8]�O\0 � g�N��hSUQC} u ��h9g,N
f>y:0 Y�g�S�N��c�R0 I n t e r n e t� SUQ� xn[� S�N �}^v[���g e�rHg,0 " ;
|
|||
xfa_image_rawvalue_000.tif |
pdf-xfa-image-tiff | XFA image/rawValue TIFF payload near offset 0x72BA8 | 879 bytes |
SHA-256: da819e52be8a108682eaa366c3b57bbb54f1908471416a4ae259b5062c5ba4eb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_EGG_HUNTER
|
|||
font_00_cff_off00000bda.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xBDA | 31706 bytes |
SHA-256: 76911b10d0e3a599e9481f5f3f875b0c2432bd33d8fdbfffa37a22aac7e76b24 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.