Malicious PDF — malware analysis report

Static analysis result for SHA-256 30ea16e772c12e5e…

MALICIOUS

PDF

23.8 KB
MD5: c6ce9d10facf266e146b623c4f611a5c SHA-1: 2d9aadd80419e24bd1451fc1ed6e3ae6baa06b2b SHA-256: 30ea16e772c12e5e4a176e9c6c4bbd669a40875f61bb510a99480939afcd28eb
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL heuristic firing suggests that the JavaScript code is likely obfuscated and uses eval() to execute arbitrary code. While no specific URLs were identified as malicious, the embedded JavaScript is designed to download and execute a secondary payload. The benign URLs present are likely decoys or standard PDF metadata references.

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000004b5.bin
4447bc3bf2370788a868beaf4e818cbde6061d04686c8a8695d700584551fe2b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B5 4794 bytes
objstm_0013_00.bin
3ec841b01a1bb1aa700b49a4f383b3c25444c501028558ea845e84b840f95f4d		 pdf-objstm-decoded PDF /ObjStm 13 0 obj (inflated) 171 bytes
objstm_0022_00.bin
a92747d747f22f515169556b020ee478e8bc8240eb1b1c812ec6d5c4463ac2ec		 pdf-objstm-decoded PDF /ObjStm 22 0 obj (inflated) 32 bytes
objstm_0026_00.bin
5a15614ebab0db9b0da45a82154f672c2bc490f73fc030a289823582a52a076c		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 32 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.