Malicious PDF — malware analysis report

Static analysis result for SHA-256 416e5e99c628d002…

MALICIOUS

PDF

77.7 KB Created: 2009-08-26 23:02:49 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 84fb570bbd2cf0187c93ca6a66b78e90 SHA-1: 7d365ca2c3773fc9140b639654af7742c3343f22 SHA-256: 416e5e99c628d002a36d4f8cd800cef66a57bd6d3d39b086cbcbb9b68c72a2cf
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection for 'Heuristics.PDF.ObfuscatedNameObject' further suggests malicious intent. The embedded JavaScript is likely designed to exploit a vulnerability within the PDF reader to execute arbitrary code, potentially downloading and running a second-stage payload. The exact functionality of the scripts is not fully discernible due to obfuscation, leading to a moderate confidence level.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0092_000.js
a350cde2463fac6392962ff389bd453870445e63fdaae73c92af9a6bc7a57c7c		 pdf-javascript-stream PDF /JS object 92 at offset 0xF58E 245 bytes
javascript_obj0093_001.js
15251843a332da39a9e06e1034b0ab20cdb9684e4740ca0f96d5dac0c1388b4d		 pdf-javascript-stream PDF /JS object 93 at offset 0xF670 173 bytes
javascript_obj0094_002.js
5dfc4949a6dd6fffe72c8b8598b45c263c36d916fda6dce736b617f49298e2eb		 pdf-javascript-stream PDF /JS object 94 at offset 0xF741 255 bytes
javascript_obj0095_003.js
446f40c9bbe0e2829fe1516da88ff61215d48ea5d839cfcfd61e6bc2f4f22082		 pdf-javascript-stream PDF /JS object 95 at offset 0xF841 23627 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.