Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0c8c9d636eeb7f8…

MALICIOUS

PDF

56.1 KB Created: 2009-07-11 08:11:56 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 163b8e1c44e232f2c36a2e851732f71f SHA-1: eb8085e0f23a2d97adad9dfc68b87805275d3f2c SHA-256: f0c8c9d636eeb7f814f65c28f22de087e3e1ee4f7b44318d88191a54a5b6fb96
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is a PDF with embedded JavaScript, flagged by multiple heuristics including ML and ClamAV. The presence of JavaScript streams suggests an attempt to execute malicious code. The primary intent appears to be downloading and executing a second-stage payload, as indicated by the embedded JavaScript actions. The ML classifier's high score further supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9837

Heuristics 5

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0034_000.js
c2bfb1e1f0c5b6e4a0ff8cbb4bc0babf3ee5b23364855f112bd6356d54f670db		 pdf-javascript-stream PDF /JS object 34 at offset 0xAFBD 44387 bytes
javascript_obj0035_001.js
bd64f8a3e9a39bdf019d012f43eecea9a7581eff0f08c44fd45276b02a118622		 pdf-javascript-stream PDF /JS object 35 at offset 0xD8E3 258 bytes
javascript_obj0036_002.js
4b4fc77f5953267ecf0f05c5a7c5df4aa1a3138822cf40378fc82f064104e60a		 pdf-javascript-stream PDF /JS object 36 at offset 0xD9F8 229 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.