Malicious PDF — malware analysis report

Static analysis result for SHA-256 55215e5c4bf1ba79…

MALICIOUS

PDF

3.6 KB
MD5: f14844d0cdbf6741c0ae3fce003413f7 SHA-1: d6c49a2d229b3b4c469f06a3eb8ed042baaf78d6 SHA-256: 55215e5c4bf1ba79afbc24587d6a51a252259ba130f38966e3b87c53ff0c4b6d
456 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.005 Visual Basic

The PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicative of obfuscation. The script is designed to download and execute a second-stage payload, as evidenced by the PDF_LAUNCH_COMMAND heuristic which reconstructs the command: "cmd.exe /c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream". This chain of commands suggests a dropper mechanism, likely leveraging CVE-2010-1240 to achieve execution. The ML classifier also strongly flags this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111611_000.js
9864171cc4152f5d3e5671809dd40cebe1cf9319d0b8bfb0abd003cff50482db		 pdf-javascript-stream PDF /JS object 111611 at offset 0x771 332 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
embedded_pdf_script_000008da.bin
40abd21cc16d7f47deccc3a181fad013ee9391fed16bacfc36cd3459490f7ecc		 pdf-embedded-script PDF decompressed stream script payload at offset 0x8DA 90 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.