Malicious PDF — malware analysis report

Static analysis result for SHA-256 2166387ca97f0332…

MALICIOUS

PDF

28.9 KB Created: 2010-02-15 23:26:48 -08:00
MD5: c394d11d7650cf0b877dc9ca2ba944c6 SHA-1: e7ac5b1c63c7ce25f9e75d6d0d512cf62e537500 SHA-256: 2166387ca97f033243c0c2ce69558ff11c6abdfd4ff16dd9d6f8b64bc89428a1
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains an embedded JavaScript stream, indicated by multiple heuristic firings. This script is likely responsible for the malicious nature of the file, potentially downloading and executing a second-stage payload. The presence of the EICAR test signature further confirms its malicious classification. While the script's exact functionality is not fully discernible due to obfuscation, its execution is the primary attack vector.

Heuristics 5

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000003e5.js
d255d775069bfe0d32015488f3c64c62d1a1f587a3876c5e8a45f3dcbbd11a2a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E5 3021 bytes
stream_006_off00003590.bin
eaee67590d07d5d6e379ea782fafebf110116a1a82273be2466e929115582609		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3590 20836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.