Malicious PDF — malware analysis report

Static analysis result for SHA-256 366bbb906b7dac68…

MALICIOUS

PDF

2.93 MB
MD5: f1b3b34335c80d5b2121785e3d8b9e81 SHA-1: 366d66b51ed5690503e538c0d96b3a326f66de8d SHA-256: 366bbb906b7dac682179bac0ce085b0cd089d66e1ce144be164598ff056d937d
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV with the signature Html.Trojan.Shellcode-19. Heuristics indicate the presence of embedded script payloads and the use of String.fromCharCode, suggesting an attempt to obfuscate malicious code. The extracted artifacts include JavaScript files, further supporting the presence of scripting for malicious purposes. The exact intent of the script is unclear due to obfuscation, but it is likely to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0038

Heuristics 6

  • ClamAV: Html.Trojan.Shellcode-19 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Html.Trojan.Shellcode-19
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/g/img/

Extracted artifacts 20

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_056_off00137285.js
568c0437cea868045fd8596e431a84e7a6dc46f4a48e0b0c9a04d645d260dfda		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x137285 160644 bytes
Detection
ClamAV: Html.Trojan.Shellcode-19
Obfuscation or payload: unlikely
stream_060_off00173d6d.js
fad776c28108732daeff653191f5e2be7816cba0b9f2068290f5754f548ab6b5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x173D6D 152904 bytes
stream_061_off0017e673.bin
540c8d1242d6d10dbc67ba1af3f7672010ca1643af308cbf371f94598da69ebd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17E673 65360 bytes
stream_063_off001958ef.bin
2525060318e27bf367c1966a57c3c565e989cc0fd7e3ddc2eb4668794031b985		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1958EF 66220 bytes
stream_064_off001a1563.bin
48b466b6818b6c73077148243fbfc826feee03fdb6b776d77b4d921d6c64f9ac		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A1563 34185 bytes
stream_074_off001f06f5.bin
7a4ea40dfbc3e5a980bf05d92b40098e994311a7796cc954650a337ed97d455f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1F06F5 320784 bytes
stream_078_off00210c39.js
549e29e2ec93d51d174304aaf1d4d64f3e6a4ca6e471e25ace7de16d52dc4445		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x210C39 154893 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_080_off0023ae11.js
3db45c141a72c9010c68fa20e612c26c44c10c98487792b84abf808fd8a6448d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23AE11 158968 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
stream_088_off0027bb94.bin
6c21b809eccbb3a5bbfbd923c3a5eb47aae198579c33b91f61d3e0922d9346c3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27BB94 33777 bytes
font_00_cff_off00002207.bin
42637ccfd58bd3bb548f9c75be2c966211ccf1dec908314fb2bcb6aea87cc380		 pdf-font-stream PDF embedded font (cff) at offset 0x2207 3034 bytes
font_01_cff_off00002d9d.bin
e3530c1a8fbed04af952a69ae7e1e0cfb3eea53c4ad6c0d59a0ec1bc691e4160		 pdf-font-stream PDF embedded font (cff) at offset 0x2D9D 4492 bytes
font_02_cff_off00003e15.bin
0a2977f673b0a7fd1f7ac0cea93c0083507af6f28169d58bf38b3d8fe3e2cb87		 pdf-font-stream PDF embedded font (cff) at offset 0x3E15 7466 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_03_cff_off002bc89a.bin
c5ae3a46b116f0aa15f1d050e20f886e37ead6f18cadd8011201d913e427fd6d		 pdf-font-stream PDF embedded font (cff) at offset 0x2BC89A 4483 bytes
font_04_cff_off002bdaf6.bin
c93e3ea77ebf9ccc98abdf62ad068e15c052c543d4295f3baccf11c1a14f20c6		 pdf-font-stream PDF embedded font (cff) at offset 0x2BDAF6 7191 bytes
font_05_cff_off002bf759.bin
1215e09394ca940bbf2be54641c67068539a8f0d545f59cc286a868138ef99c0		 pdf-font-stream PDF embedded font (cff) at offset 0x2BF759 4364 bytes
font_06_cff_off002c0dec.bin
6c9497bef0c1eefd9c5093b0a926e34f6ba6917c8acce624984b8a5c3f1ee9a4		 pdf-font-stream PDF embedded font (cff) at offset 0x2C0DEC 6212 bytes
font_07_cff_off002c3098.bin
65a24032906f165bb30ad75d17ac4d1ded4e73da7694434f7edeed6783072813		 pdf-font-stream PDF embedded font (cff) at offset 0x2C3098 2553 bytes
font_08_cff_off002caaf3.bin
a722ddfa44a4570c0117184c5ff1a364d6dc184866e963946763467f4e53dd5c		 pdf-font-stream PDF embedded font (cff) at offset 0x2CAAF3 2864 bytes
font_09_cff_off002e116c.bin
b53f0258a4f5e6ed44633825bc102cf211e6b407fb13f940de3b8c8a116ab8c9		 pdf-font-stream PDF embedded font (cff) at offset 0x2E116C 2263 bytes
font_10_cff_off002e1e3f.bin
5cae38d2c85ce61f5a53abba3b6fec97f97631785fa49cc0708bdb54d9e0d607		 pdf-font-stream PDF embedded font (cff) at offset 0x2E1E3F 2695 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.