PDF malware analysis — malicious · 3d739759d1d27ee3

MALICIOUS

PDF

574.1 KB Created: 2010-01-21 11:43:09 UTC Authoring application: Klausur Grundlagen des Rechts der Behindertenhilfe (via DocuCom PDF Driver 6.20 for NT)

MD5: aa941f0b6466a9eff9dfd5f1c84aafbe SHA-1: 79d36678c76a946761307a892ce5265399f43459 SHA-256: 3d739759d1d27ee3c0c5281e91e7f40b9b0880e02795f2f4a6328371aa30abdf

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains numerous embedded JavaScript streams, with a high number of streams and an eval() call indicating obfuscation and potential malicious execution. One heuristic specifically flags 'Suspicious extracted artifact — Signals: Script obfuscation indicators; files: javascript_obj0653_016.js'. The presence of JavaScript actions and embedded JS streams strongly suggests the document's purpose is to execute arbitrary code, likely for downloading a second-stage payload. The obfuscated nature of the scripts and the high stream count contribute to the uncertainty about the exact payload.

Heuristics 7

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0742_006.js` `e153c3a29de0437161aa0fa96ab43d720264c03907867b5eb5507b6c30b6e571`	pdf-javascript-stream	PDF /JS object 742 at offset 0xA30F	184 bytes
`javascript_obj0743_007.js` `711ff08025f9348de4e765f229d4a4737ee5cf0c9a8f93d809962120353d69be`	pdf-javascript-stream	PDF /JS object 743 at offset 0xA3F8	43 bytes
`javascript_obj0744_008.js` `47ac1394721481ded97da3fe1315938c845fe4ffc89e249e347977cac6335443`	pdf-javascript-stream	PDF /JS object 744 at offset 0xA44C	32 bytes
`javascript_obj0651_014.js` `95139b25268cd8e78433d0992f8f4466ee39d6a266f427e7a3132260a3aa69ec`	pdf-javascript-stream	PDF /JS object 651 at offset 0x1A18	6269 bytes
`javascript_obj0652_015.js` `1a54dd38355b5ae46b676513d8e414715d94c0bdfc3e638cc863f55d69e5b56e`	pdf-javascript-stream	PDF /JS object 652 at offset 0x213D	2360 bytes
`javascript_obj0653_016.js` `932bb24a1f112a11c4f82885eaf5e9055c8f457f8a58015a9f5a586eb2037252`	pdf-javascript-stream	PDF /JS object 653 at offset 0x2551	15177 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`stream_042_off0000b57f.bin` `66322a1696e4dd962071ea9776bd4b1431f5429ab9e9a37497735118649b4769`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB57F	58710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.