Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ab937e4520c5132…

MALICIOUS

PDF

29.8 KB Created: 2010-02-25 13:50:17 +01:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 9.0.0 (Windows))
MD5: 70a2bfe053c45705b0a82125fb1f02a8 SHA-1: f6fc90e7afc71f7b905305c31fc0fc3c2b898e32 SHA-256: 4ab937e4520c5132492b693d2328515e2ee56f97abd102b541b4fadff50a01b5
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file is flagged as malicious and contains embedded JavaScript, which is also encrypted, suggesting an attempt to hide malicious code. The critical ClamAV detections for Eicar-Test-Signature on both the main file and an extracted artifact confirm the presence of the EICAR test file. The embedded JavaScript stream, named 'javascript_obj0041_000.js', likely contains code to execute or download further payloads, although its exact function is obscured by encryption. The presence of the EICAR test file indicates a deliberate attempt to deliver malware.

Heuristics 7

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
eicar.com
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f		 pdf-embedded-file PDF EmbeddedFile object 43 at offset 0x6A91 68 bytes
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
javascript_obj0041_000.js
96e70381bb9d3e5feaf19d1051707cd6fa9ad3a8ba3d5afb7a4544f8d10fc0bb		 pdf-javascript-stream PDF /JS object 41 at offset 0x62E2 1438 bytes
icc_00_off000056ec.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x56EC 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.