Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb9a228581cf6dc6…

MALICIOUS

PDF

1.70 MB Created: 2004-12-21 09:13:11 -05:00 Authoring application: OneForm Designer Plus (via Acrobat Distiller 6.0 (Windows)) First seen: 2026-05-10
MD5: 51a11e3653410d40c993fb0489d8aae4 SHA-1: 63d4952973fee225216163a63866bbe2ebc30830 SHA-256: eb9a228581cf6dc626249d4a02437c53dd7eeecc9a1a183518398b40cef41959
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The presence of an embedded JavaScript file, 'javascript_obj0358_000.js', suggests an attempt to execute malicious code. The document body is heavily obfuscated and unreadable, providing no direct clues about the lure. The high stream count also suggests obfuscation techniques common in malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8595

Heuristics 9

  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON
    Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
    Matched line in script
        if (ans == 1)
        this.getURL("http://www.adobe.com/acrobat", false);
}
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adobe.com/acrobat Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/iX/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
XMLOutput.joboptions pdf-embedded-file-undecodable PDF EmbeddedFile object 16 at offset 0x322D; filter decode failed 1148 bytes
SHA-256: d659d0dab75fdf8de75fce4b6b94b653a788db2ced5b912a81136b78dd7ab7cb
javascript_obj0358_000.js pdf-javascript-stream PDF /JS object 358 at offset 0x15E47 808 bytes
SHA-256: 6ec6509be655ad55d7f043dd30a57424b3e40e0dcc056cf0d9c53cf4255c07fb
Preview script
First 1,000 lines of the extracted script
/*Ubiquity*/
var needsUpdate = 0;
if (app.viewerType == "Exchange" && app.viewerVariation=="Fill-In")
    needsUpdate = 1;
else if (app.viewerType == "Reader")
{
    if (app.viewerVersion >= 5.1)
        needsUpdate = 0;
    else
        needsUpdate = 1;
}
if (needsUpdate)
{
    var ans = app.alert("This document requires one of the following\nin order to be used as the author intended:\n\n - Acrobat Reader 5.1 or later\n - Acrobat 5.0.5 or later\n - Acrobat Approval 5.0.5 or later\n\nYou are viewing this document with an earlier\nversion of one of these products.  As a result,\nsome features\nof the document will not operate.\n\nClick OK to go on-line and obtain the latest version\nof the free Adobe Reader.\n", 1, 1);
    if (ans == 1)
        this.getURL("http://www.adobe.com/acrobat", false);
}

Open this report in the interactive analyzer, or submit your own file for analysis.