Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec8e383645476eda…

MALICIOUS

PDF

121.0 KB Created: 2007-11-07 14:46:13 +01:00 Authoring application: Adobe Designer 7.0
MD5: c237375028c7d4f956b6ed72b4cf1656 SHA-1: 9a8ef5c5d50e8b9011791df1954f879d690f98cd SHA-256: ec8e383645476edabe929cb57d7b0bed0cd478fdfdf0a2a1d84ff303a79af354
192 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

This PDF document contains XFA form elements which are known to be vulnerable to heap spray attacks. The presence of JavaScript, specifically heap-spray exploit code and String.fromCharCode usage, indicates an attempt to execute arbitrary code. The embedded file 'embedded_file_obj0093.bin' is likely the secondary payload. The ML classifier strongly suggests maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 10

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0091.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 91 at offset 0x8036 85 bytes
embedded_file_obj0092.bin
7b5a71936821706679c2b9b6fb2f8ebb2e54fe61a70688782204c9a03208e762		 pdf-embedded-file PDF EmbeddedFile object 92 at offset 0x80E8 1684 bytes
embedded_file_obj0093.bin
08bd587e2bd1ca7465a6b54fbebd950e7c0005683aae408efa7e56a7898366de		 pdf-embedded-file PDF EmbeddedFile object 93 at offset 0x83EE 266099 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
embedded_file_obj0094.bin
3907b446b011f8610a82acd8de23d89f1d2e4d3687e008fa4fc67993a8207d64		 pdf-embedded-file PDF EmbeddedFile object 94 at offset 0x1C69E 2304 bytes
embedded_file_obj0095.bin
ba5dad9f84d43b5e8f5a0465ec8aef82999eafc36f58b3afda5c0fdf63237aff		 pdf-embedded-file PDF EmbeddedFile object 95 at offset 0x1C99E 1497 bytes
embedded_file_obj0096.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 96 at offset 0x1CAD7 212 bytes
embedded_file_obj0097.bin
e7f4bd3bb82d99144e0387be82f69c35083d564a7334738faefc8c9b8cda268c		 pdf-embedded-file PDF EmbeddedFile object 97 at offset 0x1CBCE 724 bytes
embedded_file_obj0098.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 98 at offset 0x1CDAE 85 bytes
javascript_obj0083_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 83 at offset 0x786B 870 bytes
javascript_obj0085_001.js
6eb244f53ebc8f25f5c57b1b6967c137506ad30fcad0035c0d792b516a9ab880		 pdf-javascript-stream PDF /JS object 85 at offset 0x79EF 3334 bytes
javascript_obj0087_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 87 at offset 0x7D32 1528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.