Malicious PDF — malware analysis report

Static analysis result for SHA-256 43c025b57da43cde…

MALICIOUS

PDF

5.4 KB Created: 2011-04-05 23:46:28 Authoring application: bub lob
MD5: 8ce02194dc464eaa062d33bc5a2f56da SHA-1: f9ace3bd7243452cde59275002b33ce4e73b6bf4 SHA-256: 43c025b57da43cde10f951d628a31ed358d2b0db0651d4d5003a40f24826dff4
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that is executed via XFA forms, indicated by the PDF_XFA_SCRIPT and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics. The unescape() call suggests obfuscation of the script content. The primary IOC is the extracted JavaScript file, which is likely responsible for delivering the malicious payload. The file's authoring application and creation date do not provide specific attribution.

Heuristics 6

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000327.js
6b4c210b0d164f9e934c138f4e72e0edee24c37e495be0c28ed9c1de92be27e9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x327 55772 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.