PDF malware analysis — malicious · 2beebc30b74cd0f2

MALICIOUS

PDF

1017.1 KB Created: 2009-05-11 20:47:27 +08:00

MD5: 4a3c3233bea9be1b9828148ae478a9b7 SHA-1: 28cf083cc05ce66b9136ce63889107f7bacd3a3b SHA-256: 2beebc30b74cd0f25c025e4341e6fad216e345955c31115dabea635066f000a6

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, with a high-confidence heuristic firing for 'eval()' and 'String.fromCharCode()'. This suggests the script is obfuscated and designed to execute arbitrary code. The presence of an embedded JavaScript file ('javascript_obj0063_001.js') further supports this. The script's likely intent is to download and execute a second-stage payload, which is a common technique for malware delivery. No specific family could be identified.

Heuristics 9

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdfx/1.3/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0034_000.js` `97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61`	pdf-javascript-stream	PDF /JS object 34 at offset 0xF76B7	1946 bytes
`javascript_obj0063_001.js` `b724ebc62d6d42a8641e225407c2ce6c2e532c37fcfe9d07b44571a82c380eeb`	pdf-javascript-stream	PDF /JS object 63 at offset 0xFC4D4	22180 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`objstm_0037_00.bin` `b428c2f4870fae0526567cf77c099cf670e2322887bfea6ea9524203cd643431`	pdf-objstm-decoded	PDF /ObjStm 37 0 obj (inflated)	48 bytes
`objstm_0059_00.bin` `926ac9d40938e4da7655ca1cedb2c842082fc0e24db16e7dc1e576b82a7966df`	pdf-objstm-decoded	PDF /ObjStm 59 0 obj (inflated)	58 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.