PDF malware analysis — malicious · 273600ab1a8a0dfa

MALICIOUS

PDF

7.4 KB Created: 2010-09-16 18:55:19 Authoring application: Tolhipezorojpagiwaqo (via 68c18Seueganadazaqeav)

MD5: 67bc828bb23f1d44b40ba4a8edc888de SHA-1: 80fe5fb3bdf774484c71fa28b97cd011caaab888 SHA-256: 273600ab1a8a0dfa3f040c3792603a42c308787590d9d587b1162f7416460ebd

76 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection for 'Heuristics.PDF.ObfuscatedNameObject' further confirms its malicious nature. The embedded JavaScript stream, named 'javascript_obj0011_000.js', is the primary mechanism for executing the malicious payload. While the exact actions of the script are not fully detailed due to obfuscation, its presence strongly suggests it's designed to download and execute a second-stage payload.

Heuristics 3

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `e2d41866c9fb013feb60cefe8b41892c7277decb0774febb940ce493b1221654`	pdf-javascript-stream	PDF /JS object 11 at offset 0x1387	2332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.