Malicious PDF — malware analysis report

Static analysis result for SHA-256 50cc33287f6ce064…

MALICIOUS

PDF

30.1 KB
MD5: 166eaeb011ef4b190322dfa716579fd5 SHA-1: 3c713fa7d0a05dea15fd53adfde003a7f39e1190 SHA-256: 50cc33287f6ce064309f6daf77e1d400961cc1987140035f49ca8fc569f1a4c7
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and a RichMedia (Flash) object, indicated by the PDF_JAVASCRIPT, PDF_JS, and PDF_RICHMEDIA heuristics. The presence of an eval() call within the JavaScript suggests code execution. The embedded JavaScript stream and the embedded file are suspicious artifacts that likely contribute to the malicious functionality. The exact intent of the script is unclear due to obfuscation, but it is likely designed to download and execute a second-stage payload.

Heuristics 6

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0016.bin
767382813fc770c9716554c3266b22eee1636037ca964af05acf6ff66db4a27d		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0xD53 26993 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
javascript_obj0006_000.js
f35f0ff7f475a70cfd18f920261dc0075e6236af1ebfa5709f1a54ec8fc9b288		 pdf-javascript-stream PDF /JS object 6 at offset 0xF9 2311 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.