Malicious PDF — malware analysis report

Static analysis result for SHA-256 546a874c00959179…

MALICIOUS

PDF

7.7 KB Authoring application: Qimigiwova (via 1c0f8Bashemeriwesohitaro)
MD5: 67e4b27dae8059e9dd96b68728a907e8 SHA-1: bee55e551aaf3918c05f3b813f5d86f029c88bb8 SHA-256: 546a874c00959179a3c6a79a4db2b923124880dac4471df4bb3460c24c333b5c
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection further confirms its malicious nature. The embedded JavaScript is likely responsible for executing arbitrary code, potentially leading to further compromise. The obfuscated nature of the JavaScript and the lack of specific indicators in the document body make it difficult to determine the exact payload or family, hence 'unknown family'. The IOC provided is a reconstructed string from the embedded artifacts.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
ed31b16df2b6492a4d5be85b534deca964c2f0e07a8443782787f4ed9c62c93c		 pdf-javascript-stream PDF /JS object 10 at offset 0x1303 3192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.