Malicious PDF — malware analysis report

Static analysis result for SHA-256 38a138e9b9f648f1…

MALICIOUS

PDF

482.6 KB Created: 2006-06-30 13:26:52 -04:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: 980135ee01a8976d9c04286edca38ac6 SHA-1: b8cdf42cf50c7d913d01e60ba9ae82d4bc1a400d SHA-256: 38a138e9b9f648f1f754205e01f8321788edaffa9ac1c302951631f3d0aa64e5
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains embedded JavaScript, including calls to eval() and String.fromCharCode, indicating obfuscated code execution. The presence of U3D content and related heuristics strongly suggests exploitation of a CVE-family vulnerability in Adobe Reader's 3D parser. The embedded JavaScript likely downloads and executes a second-stage payload, as evidenced by the large extracted JavaScript files.

Heuristics 9

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0096_010.js
cb0b3d4c5f194e021b9a0221da3eb5e452e0eca53b84aa0f617c46eec75a9684		 pdf-javascript-stream PDF /JS object 96 at offset 0x1E365 33 bytes
javascript_obj0097_011.js
578aed31eeb16c7d5addb14deabb33c6d1ff616db3cf6757e3c42ed2a6f5cd20		 pdf-javascript-stream PDF /JS object 97 at offset 0x1E3AF 32 bytes
javascript_obj0098_012.js
ef3ea8a689375d1da4f1dc9d6cd8cab6faef31e75fc06dc5a4a8f1b59794f706		 pdf-javascript-stream PDF /JS object 98 at offset 0x1E3F8 33 bytes
javascript_obj0016_014.js
4249540f17429d6230e2e89c4c602203a7c7d68423bc1428d30e8c831da179dd		 pdf-javascript-stream PDF /JS object 16 at offset 0xCA6 38816 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 eval/decoder/string-building token(s).
stream_021_off0001e678.bin
3a7d212200bcf6b5e13ab3039bfbbfb48b4d08f9f239c7cd876809a921885820		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E678 389716 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.
stream_022_off00072533.js
631d9d2fb37aed0fb83990f2d5622402dc59f25399fc368c0c65939a26f45446		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x72533 89066 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
icc_00_off0000352d.icc
3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301		 pdf-icc-profile PDF ICC profile at offset 0x352D 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.