PDF malware analysis — malicious · 1dbac5f3cb8eaac7

MALICIOUS

PDF

1.95 MB

MD5: 779682c2af04b7f6dfa688f4089a5223 SHA-1: c02aac941c2a417813f964c0ee4d3824de502cfd SHA-256: 1dbac5f3cb8eaac7111cf3bd3443375208828d09eed344df0b11cd8d348e7422

104 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The 'PDF_FILTER_HEX' rule suggests obfuscation techniques commonly used to hide malicious content. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further supports the malicious nature. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery.

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0004_000.js` `4a8a63c68e9b53694a9bae067710340acc603ae22078d77af30919f7a9691c94`	pdf-javascript-stream	PDF /JS object 4 at offset 0x75	5170 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.