Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f0dcb5ae5612287…

MALICIOUS

PDF

139.8 KB Authoring application: Adobe Illustrator 11.0
MD5: bcfcc061aa567157c282598797cb7469 SHA-1: 24eaaf05a708a6244c5be0b1d8445d9a364910a3 SHA-256: 2f0dcb5ae5612287b76b0d4529538ce4e356f26d7dd941e1f939d6fb0af0ce54
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

The PDF file contains multiple embedded JavaScript streams, with high-confidence heuristics indicating the use of eval(), unescape(), and String.fromCharCode() for obfuscation. The presence of U3D/3D content and related CVE indicators suggests an exploit targeting Adobe Reader's 3D parsing capabilities. This functionality is likely used to download and execute a second-stage payload, although the specific payload and its ultimate destination could not be determined from the provided evidence.

Heuristics 9

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_039_off0000cf77.js
330f5c19c7ca995795516645be5b590157c01812f41bd6830cdc609bb5b9d4f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCF77 22124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_040_off0000e046.js
8d96509eb240e1c77f143d6463dfd82b8d984cd0c96616652143d4177d854213		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE046 17828 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_041_off0000f111.js
09b34bae589e05293fdbe5ba726c9feea1d39254aa3a2572c62566f79c07fcec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF111 10565 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_043_off000109d8.js
3d4e97e99641ae4ea2def614d0172b5c2768ee7157063dd8fc966a6ecafa57df		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x109D8 7287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_044_off00011180.js
57b1a76ccfe5da62ca94b81597d47c7d1f044cd6448a85298d1c63c79ec89f2f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11180 2763 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_045_off000115a1.js
6ae8528b471667fbe3b6ff0dc9c0b3d6e0d1a11041d403170e52ec2cdbbf5f7d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x115A1 10770 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
stream_047_off00012923.js
dd906f819ca1ff47b8f14405c84e0056f642d48a85e1bc7d1605e254e2e2be57		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12923 7435 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_048_off000130fd.js
63538b4c16f432496fc4fdc2fac0fffdbf233b5c556faf6fe8fcde67c6479861		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x130FD 2820 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_049_off0001352c.js
9c4ac2e0fb7a766c6cf8dd05e0f1fd828450f0b4095363594c7573d4c9a01727		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1352C 10842 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s).
stream_051_off000147e3.js
ec68211d0cfac86f7e0185e9e193f0bea47cf65bd09a9214a9313d82b14b37bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x147E3 7438 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_052_off00014f6f.js
eb05a87b69e3055d04239094d8eecce5ace02a9d75da368c364250ba224135be		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14F6F 2889 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_053_off000153ae.js
120ab9f2a702158271a1b5811a89b1031931970116a0440d0c6bf640c70094d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x153AE 10605 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_055_off000167db.js
0784490c57fc7f6f85f08f4424c8c1877d0daf202eb35949cfeeae7849fa9ddf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x167DB 7256 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_056_off00016f88.js
08d73fd0f586f9dba68fc156e933c642dabe9023c384ce02cfe3884e2a135129		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16F88 2834 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_057_off000173b1.js
6238f0e69eeb260eb02db1a5b26ef76754b82a32cbfdcc63f3bf0b1f50efcec7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x173B1 10287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_059_off00018624.js
2d6d97ac81740854ff7a92d6b2f5875ac90445f0b5f6fbd15205a0b6ac9f973c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18624 7047 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_060_off00018d93.js
eecbaa76ec91fbf670099cabce9d685b294ef9a8bfc6b0250e1c77c3cc7aa073		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18D93 2725 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_061_off000191b0.js
f652b25a4741ac9a979d17534fcdbdfcfeb64f8503e6cdb80e1adf1296a61327		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x191B0 10562 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_063_off0001a5b5.js
acc8d9aede62e2375087e919f39ab8a3e1adbbda623132ba3a0e5ec21745ab31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A5B5 7438 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_064_off0001ad5b.js
f337cd4e88ab44e1f614456683420ad45d99bc869c9165f4df6197280f2eaa5a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AD5B 2609 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_065_off0001b16c.js
3296e6bc1219cf0c0c6170a68f5f2e7c6770866d25fac8173684d6d2fa6053f5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B16C 10526 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_067_off0001c477.js
534450c580d1500b098b85412c96a0342dbf6fc1c95864f4dfb656761bd3f0fc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C477 7180 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_068_off0001cbf0.js
39bf84a91483573dd2e8037285bbd165a940db5e04fa13514562ee50d4553691		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CBF0 2831 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
objstm_0301_00.bin
f21a0034d0710b2827ef23547c9b5de09f0b512c8b06c539f5a1e5f2cf3095d0		 pdf-objstm-decoded PDF /ObjStm 301 0 obj (inflated) 449 bytes
objstm_0302_00.bin
97d4961b2fdf2d0a951bd2ddf9f6c8ac547047c04dba976a09a1d0cd114bff53		 pdf-objstm-decoded PDF /ObjStm 302 0 obj (inflated) 9786 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.