Malicious PDF — malware analysis report

Static analysis result for SHA-256 36c9140bc7e6456c…

MALICIOUS

PDF

1.36 MB
MD5: 4429f77b2d25401620d307feed5e6ba3 SHA-1: 75394d2e58ea9bf5058a303c0c3b9f15cf660be0 SHA-256: 36c9140bc7e6456c015c80827818307e3bb5ef2875eeca719f6e9f505e394276
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains numerous JavaScript streams and exhibits characteristics associated with exploit preparation, specifically related to CVE-2010-0188. The presence of embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS', suggests an attempt to execute malicious code. The high stream count also points towards obfuscation or heap spray techniques common in exploit delivery. While no specific URLs were flagged as malicious, the overall structure and embedded scripts strongly indicate a malicious intent to leverage a PDF vulnerability for code execution.

Heuristics 7

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00001bef.js
01ecf8adb04541a4523d366e0c9ae0e3fb6a693d673717f9a78bb5a5950d823e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BEF 2120 bytes
stream_009_off000025a2.js
58647920caf9dcb562a842bc0e972eac61066bce0d04a45ac398ee2568ed8227		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25A2 52308 bytes
stream_010_off00003cac.js
c835dc232ea87b2feebb15867d10c455975e237c2611acbc10b5ef6da7a58e82		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3CAC 394 bytes
stream_013_off00004cb3.js
92674dc4e1a944ca837fe4a014b5d8fe0018600f3d3a3f8fa9bca36102d27569		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4CB3 887 bytes
stream_022_off00005b2e.js
6cf864f0861d6c0ed2821c9af39a70ec9740bf8265b087d1fed3cd4749a08e41		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B2E 630 bytes
stream_025_off0000607a.js
ad9f9460bbd466416c505a21246ca6402cd4ff11034a046c394d87f34489eda4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x607A 635 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_028_off00006498.js
8c06a3684e854306814ac809869afebd45be1b057b891eb2a3c34be21db81f44		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6498 627 bytes
objstm_3453_00.bin
fd71c94dc8896719eb4210798562ef266e103b4b4273a1fc12cf6e8e38ac5459		 pdf-objstm-decoded PDF /ObjStm 3453 0 obj (inflated) 16963 bytes
objstm_3454_00.bin
4f3c87a70c1a1cdca07a9ed083cc9f8eaab9265594cc058134d8fee82ae86b57		 pdf-objstm-decoded PDF /ObjStm 3454 0 obj (inflated) 19658 bytes
objstm_3660_00.bin
fd1733d006c72b38ef8f2e5da564b991070a15602631fcf0e39c3ac8375f1e1c		 pdf-objstm-decoded PDF /ObjStm 3660 0 obj (inflated) 3935 bytes
objstm_3026_00.bin
223f9fd4e09a9cc555cc42b608fd841a31ec6c382c81b913d1230db81e8c9d47		 pdf-objstm-decoded PDF /ObjStm 3026 0 obj (inflated) 10410 bytes
font_00_cff_off001476ee.bin
e4569b775ec48290398265e6f0c98af7495d76ae4ee2151a737317ec156b66b8		 pdf-font-stream PDF embedded font (cff) at offset 0x1476EE 85600 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.