Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c55e17689ea24f2…

MALICIOUS

PDF

524.8 KB Created: 2009-07-30 15:52:28 +02:00 Authoring application: Haru Free PDF Library 2.1.0
MD5: 38574fbb7903c6576007dd8dc1bb2d82 SHA-1: c4d6b8b301c9659f235b906255c1624e34faab7f SHA-256: 0c55e17689ea24f2bb3b9526df7bef24c186ec3420fb59801df2f7d7481d9a62
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that is heavily obfuscated, making precise analysis difficult. However, heuristic analysis detected a critical ClamAV signature (Html.Trojan.Shellcode-19) on an extracted artifact named 'embedded_pdf_script_000110ce.bin'. This suggests the script is designed to download and execute a second-stage payload. The analysis timed out, limiting the depth of inspection.

Heuristics 3

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Analysis timed out (partial result) info ANALYSIS_TIMEOUT_PARTIAL
    Analysis exceeded the wall-clock timeout. Heuristics emitted by completed phases are preserved; phases interrupted mid-execution may have missed findings.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
testfuzz.swf
e00d9045e744aa9e58f36aa4ce84b8a453e8a30542d622ccf506c54a1f2f854c		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x137C9 453541 bytes
javascript_obj0027_000.js
e3e351675eabd51ed0a9b2a42fdbd26abed2160bc835c82b759bad35673da1ea		 pdf-javascript-stream PDF /JS object 27 at offset 0x712 1535 bytes
javascript_obj0028_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 28 at offset 0x8FD 870 bytes
javascript_obj0029_002.js
6e69c63d9c536fe522ee26ec28b45a9f482c2143b8722590aff104d35f1a4006		 pdf-javascript-stream PDF /JS object 29 at offset 0xA57 3353 bytes
embedded_pdf_script_000110ce.bin
65a3d66b636d21a30c4896df89a54602ac9ce7b1c9f3f01be818e0e6358c58ca		 pdf-embedded-script PDF raw stream script payload at offset 0x110CE 7420 bytes
Detection
ClamAV: Html.Trojan.Shellcode-19
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.