Malicious PDF — malware analysis report

Static analysis result for SHA-256 f098e53c80317b42…

MALICIOUS

PDF

62.2 KB
MD5: 6073e9887112d043810361f7a5d4caa7 SHA-1: 8941922b7420b3a1e61b1e16a628c46ef8f4edcc SHA-256: f098e53c80317b4283d87afd905a6cab7f17d7471c2e6ecee5f35f0f8f07528c
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.002 Spearphishing Attachment

The PDF file contains XFA (XML Forms Architecture) which is known to be used in exploits. Heuristics indicate a generic JavaScript exploit stage was recovered, suggesting the file attempts to leverage a vulnerability to execute code. The recovered JavaScript likely downloads and executes a second-stage payload, though its exact function is obscured.

Machine Learning

  • Nyx PDF Classifier clean score 0.0019

Heuristics 4

  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00003ea9.bin
a879078fae1b75c04eb41e2fac6f69e8e575b0d677db416f24ecee927ee673df		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3EA9 3779 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
generic_stage_recovery_000.js
044329056131063f98d881b2d0380d8fda5168f42d6447bfd0fb87f3607332e0		 deobfuscated-js generic stage recovery null-collapse -> marker-dDdDdDdD-to-%u from decompressed stream at 0x5E63 at offset 0x5E63 4605 bytes
generic_stage_recovery_001.js
d1ad66fdef0b5339dfd68d75b6f0c73234aebec182abd3398fd3f3c4beb3bc91		 deobfuscated-js generic stage recovery null-collapse -> marker-dDdDdDdD-to-%u from decompressed stream at 0x5E63 at offset 0x5E63 4589 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.