Malicious PDF / .VIR — malware analysis report

Static analysis result for SHA-256 2738102aa5bff51c…

MALICIOUS

PDF / .VIR

140.0 KB Created: 2010-04-07 20:48:09 +02:00 Authoring application: The AcroTeX eDucation Bundle (via pdfTeX-1.40.10)
MD5: 0b4463fd5aa13e8c681e3ae81a758f39 SHA-1: ff81e04d97c7d5e621f9bbb60faef14261382a86 SHA-256: 2738102aa5bff51c7bb80e35ed2781d1bf92dca53b41465eeaf3956a602bbc14
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains multiple JavaScript streams and triggers, including an eval() call and String.fromCharCode usage, indicating obfuscated code execution. The presence of 'Additional-actions dictionary' and 'AcroForm button with action trigger' further suggests an attempt to automate malicious actions upon opening the PDF. The high entropy and obfuscation indicators in extracted artifacts point towards a downloader or exploit delivery mechanism, but the specific payload or target is not discernible from the provided evidence.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
d67568c2dd56b36bb04aab7ea6b5b20d797484ddec13d3ea8143cd6324139d36		 pdf-javascript-stream PDF /JS object 14 at offset 0x4D3 163 bytes
javascript_obj0015_001.js
bdae460322a269b37cf3014b71092eadbea8dedc0eb231a8a9754f8cb85a0e58		 pdf-javascript-stream PDF /JS object 15 at offset 0x5B9 2305 bytes
javascript_obj0015_002.js
25090737cd6621ef38859a216e0bd5ee7ff2b9cd746961f47d93861f0cc47f19		 pdf-javascript-stream PDF /JS object 15 at offset 0x5B9 239 bytes
javascript_obj0016_003.js
af92b232c0be62212cda9565950628b99053c64989f5f2a45315c26cdd4e51db		 pdf-javascript-stream PDF /JS object 16 at offset 0xFA3 12701 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s).
javascript_obj0016_004.js
f531222f36bde7e3702f4676fcfb8df0304f583b3a6dd8589a8c6553a8d55972		 pdf-javascript-stream PDF /JS object 16 at offset 0xFA3 47 bytes
javascript_obj0017_005.js
dd0bd99ccb05a42322935bc687b5ee701187c6a4dd5ccc3c15d1acd52d020440		 pdf-javascript-stream PDF /JS object 17 at offset 0x4686 2469 bytes
javascript_obj0018_007.js
b8e9225c13860c8cea820b45beb193221006408e7b85d07d6278ed69e7395486		 pdf-javascript-stream PDF /JS object 18 at offset 0x5123 11759 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0019_009.js
d1d02691af96ff490ef0acd12ec2fc89bd17a9b22498b7ff0cd1c2dabfdfebc5		 pdf-javascript-stream PDF /JS object 19 at offset 0x8310 2018 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0019_010.js
072a23733de37e0bd77f1678aff5a307fdd8e64fecffcc0e88f645e2da3da4d0		 pdf-javascript-stream PDF /JS object 19 at offset 0x8310 81 bytes
javascript_obj0020_011.js
b9dc67cd18f4c30cf0ced31f0b531655b5bb453053592a63773a73a19728a656		 pdf-javascript-stream PDF /JS object 20 at offset 0x8BB3 2294 bytes
javascript_obj0020_012.js
fa562bd65a6760194901727d09a59bbbee66e5103d64da03231924d40b86ed59		 pdf-javascript-stream PDF /JS object 20 at offset 0x8BB3 45 bytes
javascript_obj0021_013.js
07613261b8d43646cbe69db0e72df82e42fd1f49602eefa944c80c31975e4ef9		 pdf-javascript-stream PDF /JS object 21 at offset 0x95BE 1055 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
javascript_obj0021_014.js
f8fbc068303dfbb938e728f72740d0f912412a87cab49f909f5db09c0a6393d7		 pdf-javascript-stream PDF /JS object 21 at offset 0x95BE 51 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0022_015.js
7d9a65ee82360c4eaf63fec39a7f3e86c81eed8f5e67e0ce294705a8dc108dc1		 pdf-javascript-stream PDF /JS object 22 at offset 0x9A62 112 bytes
javascript_obj0023_016.js
b4418934cb96d9dc733cd23c4c5c5ea768580e53eb49611e5cd671342961efb8		 pdf-javascript-stream PDF /JS object 23 at offset 0x9B0F 1796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
javascript_obj0023_017.js
9c8e131e39b271c45fec5e60193978a6a47db104b9a1d3cd0699664c65db2959		 pdf-javascript-stream PDF /JS object 23 at offset 0x9B0F 36 bytes
javascript_obj0024_018.js
d31d9b61688c975e4abf59803492b2e5dde731042e099f70205b9b3a5dbb445b		 pdf-javascript-stream PDF /JS object 24 at offset 0xA2E6 4743 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0025_020.js
f3ec06f97322f3d48513dc5be2c797d8d532d7ce4491dfa434dd1ca1c329bf0b		 pdf-javascript-stream PDF /JS object 25 at offset 0xB78A 3556 bytes
javascript_obj0025_021.js
e01e90c5bc275585ecdcdf5fdb280d54d672953ac7a241bf0e7274229cea5dd2		 pdf-javascript-stream PDF /JS object 25 at offset 0xB78A 204 bytes
javascript_obj0054_032.js
3c4d8e24e11f249ee5ac0fad30fc0807d68334191d61155fd1da26e1cf74eab3		 pdf-javascript-stream PDF /JS object 54 at offset 0xE30C 200 bytes
javascript_obj0060_035.js
c45db5818946bca2e52fb624b99ef6e7bd3d5ba645013587f57a6d053f1d8232		 pdf-javascript-stream PDF /JS object 60 at offset 0xE774 198 bytes
javascript_obj0066_037.js
5f4802d52f43dbbd91c26452b24ef9d0abaefe8c10310a55cb1fd7d008733042		 pdf-javascript-stream PDF /JS object 66 at offset 0xEBD9 200 bytes
javascript_obj0082_042.js
368b0461c5bb7ab2eaf3ab881e2dd8e94af8168336fb243f9f810e14da32e1d4		 pdf-javascript-stream PDF /JS object 82 at offset 0xF872 226 bytes
javascript_obj0089_044.js
938028fc74d189ee16e92dd157fc7e5bb6e03c3e8bd9867e33fbb6730d22645a		 pdf-javascript-stream PDF /JS object 89 at offset 0xFD10 232 bytes
font_00_type1_off00013ac6.bin
c04bc109adad3cdb2bfa377a1b33ff7af29a6ffb3110842ddbbaa5b62e48a584		 pdf-font-stream PDF embedded font (type1) at offset 0x13AC6 19758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_01_type1_off0001867f.bin
644db27eb742913d40ec851d947befa572eeefa4c789235c9ab9d7331bbfc597		 pdf-font-stream PDF embedded font (type1) at offset 0x1867F 7485 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_02_type1_off0001a34f.bin
221f3656d20762146823a9855e35fb4d6392ebe814e263527a44126c27457bbf		 pdf-font-stream PDF embedded font (type1) at offset 0x1A34F 9018 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_03_type1_off0001c60d.bin
c01b3b7faf42cf6372380992903d4cefcae00ddc5295bb6e73617a7f64858e64		 pdf-font-stream PDF embedded font (type1) at offset 0x1C60D 8340 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_04_type1_off0001e610.bin
abf1d992781e37f09a45c1e202d24d24842dcbe39c72a9f57405e78b7f3ddfa1		 pdf-font-stream PDF embedded font (type1) at offset 0x1E610 11476 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
font_05_type1_off00021217.bin
812b84ec6a1d83966f756f5bfc871c6d4c5c8cb339f94ba17ea94acc92e3ea8e		 pdf-font-stream PDF embedded font (type1) at offset 0x21217 2535 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.