Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c54fd1b8cf103c0…

MALICIOUS

PDF

750.2 KB Created: 2008-07-17 23:28:44 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 81bc3eea1c644d109cebe191257c7efe SHA-1: 44953b48ff48dc97bda13de7f7e837db1a78752e SHA-256: 3c54fd1b8cf103c003c69eb43a9b623ad3e3bfb923f5d6c3313d4da03cea73c9
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE finding suggests a secondary embedded PDF with similar suspicious static findings. The extracted JavaScript stream (stream_039_off000ba238.js) is the primary indicator of malicious activity, likely responsible for downloading and executing a second-stage payload. The confidence is high due to the critical heuristic findings and the presence of executable script content.

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_039_off000ba238.js
98e3c3ca0476ffedc3c2fffc3d2bff11646ce68d12d65706966657d0d9c107a5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBA238 3433 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
icc_00_off00034faf.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x34FAF 1320 bytes
font_00_sfnt_off0004aed7.bin
194f92554034e60257983fd76c25151d6467c7ccb45ac5cd515d30b204d2726c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AED7 3864 bytes
font_01_sfnt_off0004bbcb.bin
86a191427cdeb783c11e7a9c40550fd03af1c89a97ba2a9338536d55595ec542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BBCB 9544 bytes
font_02_sfnt_off0004d8af.bin
6c5af6f6b1048f2e36c644cc4a05628c6f098238f0c539d8a50a9ec1c4cfbe3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D8AF 16936 bytes
font_03_sfnt_off00050e29.bin
b46e1bb1ce712c597f79aebabb74eee9ed80499ff7f336fe85e9039354a96543		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50E29 6440 bytes
font_04_sfnt_off0007adaf.bin
2760dba94bf8c72ce9ea0b9d2c69715633d7f3bf89812dfa37b3e5c06656e96b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ADAF 5948 bytes
font_05_cff_off0007ba1e.bin
f929b154c1739393f86aafaa33ea11e998d4237547ea87853bf41ee35a809f31		 pdf-font-stream PDF embedded font (cff) at offset 0x7BA1E 1767 bytes
font_06_cff_off0007be41.bin
2da564aa77ed7be83abdc9c2db412b62ed648ac7b3ace1ee84e4748d253f2a22		 pdf-font-stream PDF embedded font (cff) at offset 0x7BE41 3549 bytes
font_07_cff_off0007cb67.bin
26742da0e57b265b55cbcfc487443296d46f82eb8707e6517b9a4968fa675a6a		 pdf-font-stream PDF embedded font (cff) at offset 0x7CB67 7073 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_08_cff_off0007e3c1.bin
4e850c53faa0e66014ecbc97db8ee6328db8a114809ee3ff2aecd2e894efe2d3		 pdf-font-stream PDF embedded font (cff) at offset 0x7E3C1 7042 bytes
font_09_cff_off0007fa74.bin
2cc8cb05e41dc348b960cb086767796c494fbe8636258dcc6dbf1ed773dc3992		 pdf-font-stream PDF embedded font (cff) at offset 0x7FA74 1915 bytes
font_10_cff_off0007ff62.bin
79c92dda5fe77c55cda21a49184a8caff2d2f402537352979d909e8b5b8a1213		 pdf-font-stream PDF embedded font (cff) at offset 0x7FF62 7329 bytes
font_11_cff_off000818a7.bin
2c7746eb32712e6328a9ae394afdd9cb6eb32a97da86e79b7bcb2f83f373a0bc		 pdf-font-stream PDF embedded font (cff) at offset 0x818A7 4793 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_12_cff_off00082a92.bin
331559013bae1bed3d2b9ef4a93ff99963b516e528574f4c371a798d67a715cc		 pdf-font-stream PDF embedded font (cff) at offset 0x82A92 4406 bytes
font_13_cff_off0008398a.bin
588a76db61e4e267ee8494840bef04e170a79ab4a688563a08a03608d15294ba		 pdf-font-stream PDF embedded font (cff) at offset 0x8398A 2935 bytes
font_14_cff_off0008440b.bin
b38a8d799134f8c45e5c24f42fbd86cdd1230a86b6d9e06e42bfb97e2bc445ef		 pdf-font-stream PDF embedded font (cff) at offset 0x8440B 2398 bytes
font_15_cff_off00084dd5.bin
a3030d0f8714b4bddccc5833bbf4b088240201959563acc822f3e56c6ccc5dfd		 pdf-font-stream PDF embedded font (cff) at offset 0x84DD5 1041 bytes
font_16_cff_off00085229.bin
c67313452626498cd4d0733b4523b9ecb70a75e0a5c5c686858f095bd5ae119c		 pdf-font-stream PDF embedded font (cff) at offset 0x85229 257 bytes
font_17_cff_off00085365.bin
06970a84f1da06d8f2a248cea2824b8078e11e77d6e0b119de5bbfbf49a69ac7		 pdf-font-stream PDF embedded font (cff) at offset 0x85365 1446 bytes
polyglot_child_pdf_off00030ed0.pdf
ea39084b3fdf994b1f6966c8360a02af781c1fe80990fa8351701ac6ac9f0b90		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x30ED0 567761 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.