Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe9f617ba3c64b50…

MALICIOUS

PDF

53.1 KB Created: 2008-07-21 11:01:03 UTC Authoring application: pdfFactory Pro www.fineprint.com.cn (via pdfFactory Pro 2.10 (Windows XP Chinese))
MD5: 04e1a78e9893b4f211ba73a87c308bb2 SHA-1: 098d8c5f1c55cc0af9c778be72e78b0152ebff98 SHA-256: fe9f617ba3c64b500670494889a9772209be727f347a2e37ca352a4e92ed7e9e
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

This PDF file contains embedded JavaScript that utilizes eval() and String.fromCharCode, indicating obfuscated code execution. The ML classifier strongly flagged this as malicious. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, though the exact mechanism is obscured. The presence of a suspicious URL associated with the document further supports malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fineprint.com.cn)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0037_000.js
977ccac9cdd11dcd6a26a6922b7faacb998b80b243941398e838db190156c66e		 pdf-javascript-stream PDF /JS object 37 at offset 0xF98 7672 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
font_00_sfnt_off000031f9.bin
6dc1f90496a63589ad75c7eca5e9d80e141a5b19743a347bd5bf3150bc8bb585		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31F9 17152 bytes
font_01_sfnt_off00005f3f.bin
4435506ae63b4783a85e83f3f9b500375165448360eef1ade3760ec955b5a7c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F3F 22616 bytes
font_02_sfnt_off00009a43.bin
13c47c7ea8447f95875a3bded169065d11ed713b7ba544ed08c5e8adfc0047e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A43 21840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.