PDF malware analysis — malicious · 39997e52c49c659e

MALICIOUS

PDF

180.9 KB Created: 2008-05-30 20:35:14 UTC Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 5.0.5 (Windows))

MD5: b2103a686935ab0c8047068ac1e28d90 SHA-1: 5008b4795dcc9cbe50314f48325f1e0e82754bec SHA-256: 39997e52c49c659e18f30dd3c2dac896e45ac7c8f85f7aaf6a280084a750ea8f

66 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The `eval()` call and `String.fromCharCode` usage suggest obfuscated code execution. The extracted artifact `javascript_obj0027_000.js` is also flagged as suspicious due to script obfuscation. This points to an attempt to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 6

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0027_000.js` `84131ddcb93309c84017e80740bd4419b5fcae74ddc45c3adb19291deab4ecdd`	pdf-javascript-stream	PDF /JS object 27 at offset 0x72B	4987 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s).
`stream_003_off0000313a.bin` `1bf949ae4629a9399ece545df3143fc2d234da4150d2071262db003a29ec93f8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x313A	43096 bytes
`stream_007_off000110ea.bin` `41e6e0496fdd90c7c09a0f10077193f0992899e80c6f77e30c53cd167f01f808`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x110EA	10288 bytes
`stream_010_off00019f03.bin` `f8b5634482dabaf0040161953b708d7648a1dc1459beb6e63bf997bafb4818f7`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x19F03	107773 bytes
`icc_00_off00008cee.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x8CEE	3144 bytes
`font_01_sfnt_off000129dd.bin` `d380df7f17417c88681f271d5f8c718157eb3982e3389e956a29c4ab5fb5b943`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x129DD	28540 bytes
`font_02_sfnt_off00015e46.bin` `6f75721f41befd87422e1ebf76f00622abaf7309b3a64cb737247037c047e259`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15E46	14824 bytes
`font_04_sfnt_off0002946c.bin` `659bf0b8035208f1758f1b892614dbfb0b5b7baad6052234297b54474b1d2dba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2946C	27605 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.