Malicious PDF — malware analysis report

Static analysis result for SHA-256 190ac9fd83d276cd…

MALICIOUS

PDF

47.1 KB Created: 2008-09-02 17:29:14 +02:00 Authoring application: Adobe InDesign CS2 (4.0) (via Adobe PDF Library 7.0)
MD5: e2648aa2c085bdc2d1c0f3c1a5eb19fa SHA-1: 1c9bfa990711d75218f845deffe3202dd766d30f SHA-256: 190ac9fd83d276cdb26e5564f4212d252403e64619b385a797b7f0336013f640
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript, including a call to eval() and a script that appears to be designed to bypass input validation, indicating an attempt to exploit vulnerabilities. The presence of PDF_JS_EXPLOIT_CLUSTER and PDF_EVAL heuristics strongly suggests an exploit is present. The JavaScript stream 'javascript_obj0049_004.js' is particularly suspicious due to its use of eval() and its potential to execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier clean score 0.1574

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0044_001.js
c4287c5c3e37d48b98ace11b04930d19e8be4d405af6749d7e51f8d70a59029e		 pdf-javascript-stream PDF /JS object 44 at offset 0x32B0 33 bytes
javascript_obj0049_004.js
62c61e160d193593e7c4355b0d905e5090d5718b0871bcc3dea0267072295506		 pdf-javascript-stream PDF /JS object 49 at offset 0x3408 127 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
icc_00_off000035a4.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x35A4 3144 bytes
font_00_sfnt_off00004348.bin
70fe4bd126e9ab27919a08974fd64bd940d321eb730b53b4e633cfbb78506aa6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4348 13091 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.