Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d6da24f355cc56c…

MALICIOUS

PDF

160.1 KB
MD5: 6307853391c252fd07bd5816b4b3bc12 SHA-1: 102277c8e041d4e12cdea3ab87ac9160984d440c SHA-256: 4d6da24f355cc56c25e370d5aa75b8c36953d904d9cb8993dab2a546d2ac562c
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains obfuscated JavaScript within an encrypted stream, triggered by an OpenAction. This indicates an attempt to hide malicious code execution. The presence of PDF_LAUNCH and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics, along with the ClamAV detection for obfuscated objects, strongly suggests a malicious PDF designed to exploit vulnerabilities and execute embedded scripts. The embedded script payload is the primary indicator of malicious intent, likely downloading and executing a second-stage payload.

Heuristics 7

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • /Launch action target: ��4��\ high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '��^�:�A6tc���j���'��3ߪ��˥�p���Dl.����`�����_�,�U�#�E}F�Fn���\n@�gRG��I9�8ق-���9\n���G���F �ġ�yb�H{*=�Q�a��\'.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00027eb1.bin
70342e0370215a640c3dc4898b26f1aa47b3e7c5d717006ad732698d6129c8c6		 pdf-embedded-script PDF decompressed stream script payload at offset 0x27EB1 163926 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.