Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdb39938167e5418…

MALICIOUS

PDF

203.8 KB Authoring application: PyPDF2
MD5: e06419099b28591a5218b2d6ed3080b8 SHA-1: d7f4d5ebeca78296a41b6d0a69ecba2b6b6bfe67 SHA-256: fdb39938167e5418e0654ef21a992adbb370a8fab776b1bc6f9dfbba440d3b77
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file contains embedded JavaScript that is heavily obfuscated. The heuristics indicate that this script acts as an ActiveX downloader, a common technique for fetching and executing further malicious payloads. The script's intent is to download and execute a second-stage payload from a remote source, as evidenced by the 'PDF JavaScript ActiveX downloader' and 'Embedded script payload in PDF stream' heuristics. The deobfuscated JavaScript further supports this, although its exact execution path is obscured. The benign IRS URL appears to be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9278

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript ActiveX downloader high PDF_JS_ACTIVEX_DOWNLOADER
    Decoded PDF JavaScript instantiates Windows ActiveX/COM objects to download a payload over HTTP, write it through ADODB.Stream, and execute it through WScript.Shell/rundll32-style process launch. This is commodity downloader behavior rather than a specific Acrobat CVE trigger.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.irs.gov/formspubs/article/0,,id=231643,00.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0016_000.js
ac9c8a3a2741e4964aea4833ab4b7b0a49011b26d10fdac7a815a15d74032845		 pdf-javascript-stream PDF /JS object 16 at offset 0x1483 27550 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
embedded_pdf_script_00001b0e.bin
24cd3268fbc20f4d016f32d95bc39d99b32669c80e3c95025f9a462a2febb939		 pdf-embedded-script PDF decompressed stream script payload at offset 0x1B0E 208597 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
deobfuscated.js
a971b700bf3b67fa70115200b8f8cf74e4abe2e6c49a604586f9b72d69b1c695		 deobfuscated-js PDF JavaScript deobfuscation pass 238528 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.