Malicious PDF — malware analysis report

Static analysis result for SHA-256 46845160250c3cb2…

MALICIOUS

PDF

745.3 KB
MD5: 71f95964fe8339ed97ed169ce31bc119 SHA-1: bb082decf41b539cd1a74813db8c5920d2478e0b SHA-256: 46845160250c3cb265f40523f53fee952f08bfd1b2a0ff309f876c08fe5046ee
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and a secondary embedded PDF, both of which exhibit suspicious static findings including JavaScript actions and potential exploit indicators. The presence of these elements suggests the document is designed to leverage PDF vulnerabilities to execute malicious code. The embedded JavaScript, named 'javascript_obj0026_000.js', and the secondary PDF 'polyglot_child_pdf_off0003ca8f.pdf' are the primary indicators of this malicious behavior, likely serving to download and execute further stages of an attack.

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js
1d1885b6c800938e7ec00d369726a3bf52b65eebedcdd60cc006c36da6cab07f		 pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 9609 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
font_00_sfnt_off000070c8.bin
e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70C8 8084 bytes
font_10_sfnt_off000149fa.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149FA 65932 bytes
font_11_sfnt_off0001e85c.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E85C 65932 bytes
font_12_sfnt_off000286ba.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x286BA 65932 bytes
font_13_sfnt_off000324e1.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x324E1 65932 bytes
polyglot_child_pdf_off0003ca8f.pdf
1a316cc8c7d3b1fb0c3fe6a3b5a43e0ffe6751c9465a847974af533cc86d6653		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3CA8F 514725 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.