Malicious PDF — malware analysis report

Static analysis result for SHA-256 488c644c4ad428a2…

MALICIOUS

PDF

9.8 KB
MD5: 573cce4c69cd8929bc053533898de070 SHA-1: e7d7ad775a589199a3749bbb2d9ac989598898eb SHA-256: 488c644c4ad428a2c8fa20ad990eac958f1f6661f51aa9f0857d42de5a60d39c
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and U3D content, with heuristics indicating a potential exploit related to Adobe Reader's 3D parsing capabilities (CVE-family). The embedded JavaScript stream, particularly 'javascript_obj0010_001.js', is likely responsible for the malicious activity. While the exact script functionality is not fully detailed, the presence of unescape() calls and the U3D exploit indicator strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 6

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://twitter.com/feliam

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
90c70853178b4dfbe5aeb450bc9c83613bf38a945de76ebe1faf0f9fd5312150		 pdf-javascript-stream PDF /JS object 5 at offset 0x178 62 bytes
javascript_obj0010_001.js
542f606c806caf41a1dfe5b7616415b59a11c39961c8bdb57b7fbfcf2b1aaf20		 pdf-javascript-stream PDF /JS object 10 at offset 0x59E 3855 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
u3d_00_off0000025c.bin
f79e8522f672a31bcecc42ffcffba793e3187ecca4888cf754a1d82c3d5516a5		 pdf-3d-stream PDF U3D 3D stream at offset 0x25C 393 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.