Malicious PDF — malware analysis report

Static analysis result for SHA-256 497d6042b6a0cf10…

MALICIOUS

PDF

36.9 KB Created: 2009-09-15 20:20:11 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 602d8f8fdb4a36b8bcca49fea27d233e SHA-1: f0a40b4fc2e9e5b5d70b11da52be6aacfabe658b SHA-256: 497d6042b6a0cf102838b12e183a7ca7541aacd5f7a9ba7fafeec079ff4eea9d
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical ClamAV detection for ObfuscatedNameObject further suggests malicious intent. The presence of JavaScript actions points to the execution of code, likely to download and execute a second-stage payload. Due to the obfuscated nature of the JavaScript and the lack of specific IOCs like URLs or hashes within the provided evidence, the exact family remains unknown.

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
e32a8d70ebd825ca2e556a90b1d4a18fca590eee327a6a58d391fdfe57546a44		 pdf-javascript-stream PDF /JS object 17 at offset 0x4AE8 23957 bytes
javascript_obj0018_001.js
893bb4424bfa791ad59ba474dfcf0c122de4c7320abdc73a5c75b397663b89b7		 pdf-javascript-stream PDF /JS object 18 at offset 0x8B8E 189 bytes
javascript_obj0019_002.js
e0bcb18b6df8dbf984ddd7ed6917d3a88eb9959da678fd218d648b92c40d4595		 pdf-javascript-stream PDF /JS object 19 at offset 0x8C5D 312 bytes
javascript_obj0020_003.js
a6be7f29febb80f34784c4313e09e74bbe9fa8c044f54d9cce50a0badfedcf30		 pdf-javascript-stream PDF /JS object 20 at offset 0x8D96 144 bytes
javascript_obj0021_004.js
bf302aa69e5f5f01f7abad06ea731ae3baefae4e36c39bcdd0d020d50f6ecf68		 pdf-javascript-stream PDF /JS object 21 at offset 0x8E51 153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.