Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ef983abecc66a82…

MALICIOUS

PDF

307.9 KB Created: 2010-09-14 18:59:05 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 2f589c48c732aca21763758e4f5b64f3 SHA-1: d60d846504f45a8b8085d4d0621448b98335e212 SHA-256: 2ef983abecc66a824c70870e2192b0edb5cf61b057be2091e720c328acf5d19b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript that uses `unescape()` and `eval()` functions, indicating obfuscation. This script is likely designed to download and execute a second-stage payload from one of the embedded URLs. The presence of these obfuscation techniques and the embedded URLs strongly suggests malicious intent, likely for malware delivery.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://khankhenti.com/kjfdjyte/nrvx.php?arg=Experiment+fair+food+science
    • http://tlabs.bgu.ac.il/jydtre/knvr.php?arg=worksheet+on+population+genetics
    • http://tlabs.bgu.ac.il/jydtre/knvr.php?arg=centos+samba+users+blank
    • http://khankhenti.com/kjfdjyte/nrvx.php?arg=Weekend+food+basket+edmonton+alberta
    • http://tlabs.bgu.ac.il/jydtre/knvr.php?arg=rfg+rikki+food+group+of+canada
    • http://ecosdelplata.com/Top/gvma.php?arg=English+food+maastricht
    • http://menshealthonlineshop.com/products/men_s_health/maxaman/
    • http://menshealthonlineshop.com/products/men_s_health/cialisjelly/
    • http://www.urchinentertainment.com/parts-of-a-textbook-worksheet-myblognews.html
    • http://www.avenallenterprises.com/kjjhgtte/trvh.php?arg=high+school+interest+inventories+worksheets
    • http://www.avenallenterprises.com/kjjhgtte/trvh.php?arg=chinese+food+maine+mall
    • http://khankhenti.com/kjfdjyte/nrvx.php?arg=Food+while+driving

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000bde3.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBDE3 264072 bytes
embedded_pdf_script_0004ceae.bin
764642614459a4db73aa6bde4db58d98dc58f6e3ef4bf6ea8591446037716e1f		 pdf-embedded-script PDF decompressed stream script payload at offset 0x4CEAE 315257 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.