Malicious PDF — malware analysis report

Static analysis result for SHA-256 13e1bec505d82a58…

MALICIOUS

PDF

163.9 KB Created: 2009-01-29 23:55:37 UTC Authoring application: PScript5.dll Version 5.2 (via FDFMerge 5.0.4 Linux 7 SPDF_1096+ May 3 2004)
MD5: b5bf224590e07df4aa3fbab27f44ef33 SHA-1: 0c2e56dab21dab7297846ce5896e7f652acb0196 SHA-256: 13e1bec505d82a58030bb97f154a7291a26762d7e2dd6fc22a580aea65ce3d21
198 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes eval() and String.fromCharCode(), indicating an attempt to obfuscate malicious code. The ClamAV heuristic 'Pdf.Exploit.Agent-21117' and the 'PDF JavaScript exploit cluster' firing strongly suggest this is an exploit attempting to execute arbitrary code. The JavaScript itself appears to be attempting to extract information from form fields, which is a common lure for phishing or credential harvesting, but its primary function is likely to download and execute a secondary payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4271

Heuristics 10

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-21117 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-21117
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • http://www.iec.ch

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
ad6f764151cf536a95cfa42d4ac0d4d1f9e7b9516f4acb345bf5e1e699b299c4		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 4987 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_001_off000006f0.bin
f8b5634482dabaf0040161953b708d7648a1dc1459beb6e63bf997bafb4818f7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6F0 107773 bytes
stream_004_off000120e7.bin
776c4818f6e73bbad0b9afa4f6699bed703829663ed6c6f0de08e2c981ae499a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x120E7 45320 bytes
icc_00_off0000f9c9.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xF9C9 3144 bytes
font_01_sfnt_off00018498.bin
63b26114b83cc1fe477a7211ef2809ec8989a929b736d22a94ce8405aee1b121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18498 36068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.