Malicious PDF — malware analysis report

Static analysis result for SHA-256 57610da89033b5f3…

MALICIOUS

PDF

79.3 KB Created: 2009-08-25 16:07:23 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 829cedca7f9d4153b1db8f79e8cfadf7 SHA-1: ec210c89b8315bf122d356923e4ca41c54df6219 SHA-256: 57610da89033b5f3f7992416276d1240437bdaea00c8227ef3a37918e54a068f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, with one heuristic specifically flagging an eval() call and another indicating obfuscated script content. The presence of JavaScript actions and streams, combined with the 'Suspicious extracted artifact' heuristic, suggests the script is designed to download and execute a secondary payload. The document body is image-based, serving as a lure, and no specific malware family could be confidently identified.

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0065_000.js
55637f815fc7947fef0a1f32a66d670027cfecafa88525dedd4a85209c3b966f		 pdf-javascript-stream PDF /JS object 65 at offset 0x109E2 77 bytes
javascript_obj0066_001.js
59ac8d0f499b7f06806c2f062de255dfacaa0002a2562bb8fa23504bfb4d6281		 pdf-javascript-stream PDF /JS object 66 at offset 0x10A67 22882 bytes
javascript_obj0067_002.js
8c29837891f036db9e072b9901065c52a9a6400b5351076abfd3f47be476532d		 pdf-javascript-stream PDF /JS object 67 at offset 0x1347B 244 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.