Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a29b82666cf0890…

MALICIOUS

PDF

182.7 KB Created: 2010-05-26 15:10:19 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: b2c4abe9dcfc8d30d0fc89740ecee5e7 SHA-1: 4bb92773fafddf9b76b955be74b8d0e6ad965d22 SHA-256: 3a29b82666cf0890c17d512faa1598209772b989077f23ba962f687a761a0652
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file exhibits suspicious characteristics, including embedded JavaScript and a secondary embedded PDF, as indicated by the 'PDF_JAVASCRIPT', 'PDF_JS', and 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' heuristics. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further confirms its malicious nature. The presence of these elements suggests the file is likely a dropper or exploit container, designed to execute malicious code or load further payloads.

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
294ded36a34893000fe10a046e564588bbf5d2560d04ef9f915f51ab4307f56b		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6710 bytes
font_00_sfnt_off00016efa.bin
158d8901f371473a13a1634a08f936ca4c2679b5e0c147da6bce8e737c8a9c86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16EFA 181308 bytes
font_01_sfnt_off0001c752.bin
5e211263ffff9966e7eb86dc6c0f151f2b9c7da983d225e41e027c911bdeac73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C752 152720 bytes
polyglot_child_pdf_off00015856.pdf
a59abfabd2c22a5d007c5313e51f88766922e1e669e3d320968ccc6391b118ee		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x15856 98962 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.