PDF malware analysis — malicious · f18652128eed2806

MALICIOUS

PDF

23.8 KB Created: 2023-01-20 09:53:02 +01:00 Authoring application: Nitro Pro 13 (13.70.2.40) First seen: 2026-05-13

MD5: 30628f0f7f9870aef93172de5936bab6 SHA-1: d59b673cf773db9f4b16b806825b2638a582b22b SHA-256: f18652128eed28061610cd1b5c19d5189e3204487934ab67a5d805e0ab64e78b

66 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams and is flagged by an ML classifier as malicious. The presence of JavaScript actions and embedded JS streams suggests an attempt to execute code. One embedded URL, http://198.27.82.39:8000/hola.html, is present and has an unknown reputation, indicating a potential download or redirection target. The ML classifier's high score further supports the malicious nature of the document.

Machine Learning

Nyx PDF Classifier malicious score 0.9981

Heuristics 6

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH

Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
Matched line in script
```
 a p p . a l e r t ( " n o   d e b e r i a s   a b r i r   p d f s   a   l o   l o c o " )
app.launchURL("https://clinic-cloud.com/blog/consejos-de-seguridad-informatica-medicos/", true)
```
Additional-actions dictionary low PDF_AA

PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://198.27.82.39:8000/hola.html Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://www.aiim.org/pdfa/ns/extension/Referenced by PDF JavaScript
- http://www.aiim.org/pdfa/ns/property#Referenced by PDF JavaScript
- http://www.aiim.org/pdfa/ns/schema#Referenced by PDF JavaScript
- http://www.aiim.org/pdfa/ns/id/Referenced by PDF JavaScript
- http://ns.adobe.com/pdfx/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://clinic-cloud.com/blog/consejos-de-seguridad-informatica-medicos/Referenced by PDF JavaScript
- https://clinic-cloud.com/blog/consejos-de-seguridad-informatica-medicos/Referenced by PDF JavaScript

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x10	40 bytes
SHA-256: `a556041ecc7ad2e8fbec7f6bad22f3abe950657fccd8af3cf45df3f4fd4943a1`
Preview script First 1,000 lines of the extracted script alert.app("No deberias haber hecho eso")
`javascript_obj0012_001.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x5F3	290 bytes
SHA-256: `1e538f20b34ecb5c968adf440ea16b681f69e046c286ac97dc3fae570c64f99e`
Preview script First 1,000 lines of the extracted script �� a p p . l a u n c h U R L ( " h t t p s : / / c l i n i c - c l o u d . c o m / b l o g / c o n s e j o s - d e - s e g u r i d a d - i n f o r m a t i c a - m e d i c o s / " , t r u e ) a p p . a l e r t ( " n o d e b e r i a s a b r i r p d f s a l o l o c o " )
`javascript_obj0015_002.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0xF63	286 bytes
SHA-256: `2a05755a585a42094cc998350ede6b60aafa40e1e8902ada0c74eef3370be39c`
Preview script First 1,000 lines of the extracted script �� a p p . l a u n c h U R L ( " h t t p s : / / c l i n i c - c l o u d . c o m / b l o g / c o n s e j o s - d e - s e g u r i d a d - i n f o r m a t i c a - m e d i c o s / " , t r u e ) a p p . a l e r t ( " n o d e b e r i a s a b r i r p d f s a l o l o c o " )
`stream_004_off000005f3.js`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5F3	144 bytes
SHA-256: `5ccbfde6e1d62472e02a291a344ff076441e9ab1c054ed4d0e1a61073dc428a5`
`stream_005_off00000f63.js`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xF63	142 bytes
SHA-256: `6e6eb62888d1d2608e2c57010adaaf17a289df8603b592fab2cd3b874ee74538`

Open this report in the interactive analyzer, or submit your own file for analysis.