PDF malware analysis — malicious · 2ef877f87ecd1490

MALICIOUS

PDF

45.2 KB

MD5: 4b3dd0593a39efc972f58fbba69a426b SHA-1: 46d942ae65ca7de17aede763cdc65daa8a044af5 SHA-256: 2ef877f87ecd14906cbba6a977a8619346cc088bad440f58d008600c9f6134d0

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF document contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further suggests malicious intent. While the document body is heavily obfuscated and unreadable, the presence of JavaScript points towards an attempt to execute arbitrary code. The embedded URLs, though mostly benign or unknown, are part of the document's structure.

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `251a895f701620fdffd3446e7023e31af97102d12148d6f2364a29b44f9dfde9`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA1D4	3638 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.