Malicious PDF — malware analysis report

Static analysis result for SHA-256 435981589920c71f…

MALICIOUS

PDF

1.05 MB Authoring application: FOP 0.20.5
MD5: 81141c8c90950a175ec8a6a2762b201d SHA-1: 379c1e8fd1ce23880dc53d1a53f4f1e6e57d6772 SHA-256: 435981589920c71fe73b6746f29f711ddcd93b1ea0b54ff15376fc8320a613f0
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains multiple embedded JavaScript streams and a heuristic firing for 'PDF_EMBEDDED_SCRIPT_PAYLOAD'. This indicates the document is designed to execute malicious code upon opening. The embedded scripts likely download and execute a second-stage payload, as suggested by the 'EXTRACTED_FILE_STATIC_TRIAGE' heuristic. The presence of urgency-related language in the document body further supports a phishing or social engineering attack vector.

Heuristics 8

  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.prototypejs.org/
    • http://www.globalmoxie.com/
    • http://http://www.prototypejs.org/learn/extensions
    • http://http://www.prototypejs.org/learn/introduction-to-ajax
    • http://prototypejs.org/learn/extensions
    • http://tanny.ica.com/ica/tko/tkoblog.nsf/dx/domcontentloaded-event-for-browsers
    • http://script.aculo.us
    • http://http://www.prototypejs.org/learn/json
    • http://creativecommons.org/licenses/by-sa/2.5/
    • http://www.w3.org/TR/DOM-Level-2-Core/core.html#ID-getElBId
    • http://www.w3.org/TR/2001/CR-css3-selectors-20011113/#selectors
    • http://www.w3.org/TR/DOM-Level-2-Core/core.html#ID-A6C9094
    • http://en.wikipedia.org/wiki/Same_origin_policy
    • http://www.ecma-international.org/publications/standards/Ecma-262.htm
    • http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-ElementCSSInlineStyle
    • http://www.w3.org/TR/CSS21/visudet.html#containing-block-details
    • http://www.w3.org/TR/html401/struct/links.html#h-12.2.3
    • http://www.w3.org/TR/DOM-Level-2-Events/events.html
    • http://www.w3.org/TR/html4/interact/forms.html#h-17.11.1
    • http://www.w3.org/TR/DOM-Level-3-XPath/xpath.html
    • http://en.wikipedia.org/wiki/Identity_function

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_030_off0001deb8.bin
762ff1f2f223d38a2e5b6df25671d9c88b7d3e7d20d507ef4956675b16ca7122		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DEB8 104490 bytes
stream_033_off0002390b.js
18fee4c30c1fba5fda63db1b852d108f5b0850ccecd890a91c08ba4de25d4307		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2390B 7530 bytes
stream_035_off0002981b.js
26228d0900d951910d09d7b10d5645b7493416af914b15029bed4405d7dac513		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2981B 7865 bytes
stream_077_off0004df61.js
1b4d8d7fb36ca2af19fada9bd2fec9ff5784a9cae759b34f744d3732ac0edd53		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4DF61 6726 bytes
stream_089_off000609c0.js
e26e04cf960353c82605cfd5ee3b3d4b0790b88805ad12c65c9a678a28adb057		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x609C0 5736 bytes
stream_143_off0007ff82.js
81707d2eebc8e12121fd8872fe56d24aff90a7112e03fa420d2ac9cbc1d3fac8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7FF82 4410 bytes
stream_144_off00080774.js
ed23bde69e2052ca91b728fe9be1b80b9ec21d80732e11b81b99120a201200f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x80774 5379 bytes
stream_145_off00080ef2.js
7b092b9eb37ee195857daad997a2735850e924129648cf074defb8e5ce99eae4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x80EF2 4458 bytes
stream_171_off0008d8f6.js
0cfc14b115f3a86d7405f2142f6d0b10daa678ec42dbff3094b5e30c856fb80b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8D8F6 6001 bytes
stream_175_off0008fdd4.js
5b60891a455017250e3c52d124f4eace970d6f880a3c62c6efd12e9e2f7cdd15		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8FDD4 3655 bytes
stream_176_off00090306.js
3dc8858d7388c9860b7b36d95fd506bfa1825c3ab5b2523ef5de40860283b596		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x90306 7377 bytes
stream_191_off000b3735.bin
8a39ac68771c81525207a52e9f4a7a78062708393b94aa3cdcee1cb12ecf4a6a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB3735 82164 bytes
stream_192_off000c6091.bin
56d8837fda6db3e4a3885a6bde6814b712067bb1b5e5ad0f4ba6fd627ffc81db		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC6091 86432 bytes
stream_195_off000eab31.bin
4fe59789406d144f183636e1b753e48d15fa48007faa746169b4ae7ae4ece936		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEAB31 87112 bytes
embedded_pdf_script_000138ed.bin
10ce6ec606ebc2ac830701bfc8dc9ec4723ac5fd8573e490b95c9b40b591f761		 pdf-embedded-script PDF decompressed stream script payload at offset 0x138ED 7097 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.