Malicious PDF — malware analysis report

Static analysis result for SHA-256 28525eb6cbc1b9cd…

MALICIOUS

PDF

1.95 MB
MD5: 5712b3242f90de8928811fd81d7d6310 SHA-1: a532eaa88ef393a189a36ccbb791af850cbbcb7d SHA-256: 28525eb6cbc1b9cd0a54541d3ddf9f5979b9ce31bb9e003178a95da20bf2de4f
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, with one stream exhibiting high confidence findings for eval() calls and String.fromCharCode usage, indicating obfuscation. The ClamAV detection and critical heuristic for a secondary embedded PDF with suspicious static findings strongly suggest a dropper functionality. The embedded JavaScript is responsible for downloading and executing a secondary payload from the reconstructed URL 'http://192.168.1.1/payload.exe'.

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Dropper.Agent-7241941-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7241941-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
81ce03a90a2c0ef5252218223ed8bbac0a54f9cee86d0313d2ecd07551976896		 pdf-javascript-stream PDF /JS object 111711 at offset 0x197 370 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj111712_001.js
8171224f22a8be3cd36646e551f0497e5d8ea92069820da3889ba37374a6d559		 pdf-javascript-stream PDF /JS object 111712 at offset 0x246 2950 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0008_000.js
03dc6913b1b7606c094a44681168c6b627f0a62c1d807ab31240319d37548942		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 1850 bytes
legacy_pdfkit_stage_000.js
aa2be694f56b465b575cc382d831f3e467a4fe15e581465f8c7e7cadb082c60a		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x955 256 bytes
polyglot_child_pdf_off00000ad6.pdf
f36a1ee6b47937eb9dec6708f2654579cae2b2954ac04cfce4487a3a31657ff0		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xAD6 2045226 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
javascript_obj0008_000_1.js
e0d64f1b62351e8ae9dcadb57ce75785822c1bb3a2a3b3ff9ef7babcf7e59221		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 1672 bytes
legacy_pdfkit_stage_000_1.js
77f40a75b10286d73737525ffcb84979d64f5e28693ee66f485c04ebea1690a1		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x8A3 125 bytes
legacy_pdfkit_stage_001.js
bae20fc1cca32d8650b9be61640b90b39b06781911f0bc563c48e0ec11fdb12c		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x8A3 1894 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
polyglot_child_pdf_off00001ae7.pdf
925ab1b002d9cc1173df4a9e8feffd5e48e0323fe96cc6804bd0eac4259fb1a3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1AE7 2041113 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.