MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1027 Obfuscated Files or Information
The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_EVAL, and PDF_UNESCAPE. The script is obfuscated, making its exact function difficult to determine, but the presence of eval() and unescape() suggests it is designed to download and execute a secondary payload. The embedded script payload itself is a suspicious artifact. No specific malware family could be identified.
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://evansvillehousing.org/painted-wood-picture-frame-craft-myblognews.html
- http://www.queer-rlp.de/child-support-worksheets-of-joint-custody-myblognews.html
- http://evansvillehousing.org/whole-and-decimal-numbers-worksheets-myblognews.html
- http://www.queer-rlp.de/cygwin-xterm-text-blank-myblognews.html
- http://www.queer-rlp.de/third-grade-fraction-worksheet-myblognews.html
- http://evansvillehousing.org/blank-i-have-who-has-cards-myblognews.html
- http://www.queer-rlp.de/blank-map-of-renaissance-italy-myblognews.html
- http://www.arkadia.com.mt/Gelling-agent-in-foods-myblognews.html
- http://www.arkadia.com.mt/Free-calories-in-food-charts-myblognews.html
- http://evansvillehousing.org/custom-sprinter-van-myblognews.html
- http://www.queer-rlp.de/value-painted-sacajawea-coin-myblognews.html
- http://evansvillehousing.org/export-excel-worksheet-binder-myblognews.html
- http://www.queer-rlp.de/vertebrate-and-invertebrate-nervous-system-worksheet-myblognews.html
- http://www.queer-rlp.de/iron-on-transfer-blank-tote-bags-myblognews.html
- http://www.queer-rlp.de/designer-hand-painted-buffets-myblognews.html
- http://evansvillehousing.org/gunstock-blanks-replacements-custom-myblognews.html
- http://www.giovannisartori.it/free-adult-video-gallery-myblognews.html
- http://evansvillehousing.org/puerto-rican-food-products-myblognews.html
- http://www.queer-rlp.de/worksheet-frcp-rule-36-myblognews.html
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000bde3.bina5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBDE3 | 264072 bytes |
embedded_pdf_script_0004d202.bin908e536aa0ab0d2031c8f8b87a8ceb86854dccf9a5a5dae330e2435de0bab11f |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x4D202 | 316103 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.