PDF malware analysis — malicious · 394dcdb9beb9e701

MALICIOUS

PDF

48.0 KB Created: 2009-11-12 20:52:18 +03:00 Authoring application: formTookYou (via 501e3f8a108d7ab9335ceecd363d113d)

MD5: 7881fae62db0d8bd22f4bd26c1b13f75 SHA-1: dbb73a77af851184919c0de442c9dd33f62e480c SHA-256: 394dcdb9beb9e701168a5495954bc8792f8daa61f3e88d89b221ce2b650c1722

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript, with a high-confidence heuristic detecting an eval() call. This suggests the script is designed to execute arbitrary code, likely to download and run a second-stage payload. The presence of JavaScript actions and optional content groups further supports this attack vector. No specific family could be identified.

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0019_000.js` `0fd6681046257807dba57ac552ddd934485b54354d1f1deaf4d2eaf27ed52937`	pdf-javascript-stream	PDF /JS object 19 at offset 0x28B9	4096 bytes
`javascript_obj0020_001.js` `2c447e753b8381c7204c299557bd8c6185a80d84413ba01c4e7191aa74643b44`	pdf-javascript-stream	PDF /JS object 20 at offset 0xB956	41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.