PDF malware analysis — malicious · 308866793e4adff5

MALICIOUS

PDF

24.7 KB Created: 2010-12-30 24:84:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)

MD5: 4afe52e7ccadbed1aecda49a08edefc7 SHA-1: 349147183fd605b0fdb2bc0cbbaa10cc13736e3b SHA-256: 308866793e4adff549e67037d7a49cba6ed40ac7fe7f493457819308a91be574

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript that utilizes eval() and String.fromCharCode() for obfuscation. This technique is commonly used to hide malicious code, such as downloaders or exploit execution. The high confidence heuristic for eval() and the presence of JavaScript actions strongly suggest that the script is designed to execute arbitrary code, likely fetching and running a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of its specific actions.

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.

Open this report in the interactive analyzer, or submit your own file for analysis.