Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ad1be9e5e12c4a6…

MALICIOUS

PDF

87.7 KB Created: 2008-10-21 11:20:17 +02:00 Authoring application: Acrobat PDFMaker 7.0.5 for Word (via Acrobat Distiller 7.0.5 (Windows))
MD5: 19450f8e62cc10113b235ff324cae445 SHA-1: 28ad99f5fffcc4e51320729390618350e88c896c SHA-256: 5ad1be9e5e12c4a626e974e5d8ad78e132be33a91d5aa20011d2b175b366f802
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains multiple JavaScript streams, with critical heuristics indicating an exploit cluster involving eval() and String.fromCharCode. This suggests the JavaScript is designed to download and execute a secondary payload. ClamAV also detected this as Pdf.Dropper.Agent-6307740-0, reinforcing its role as a dropper. No specific malware family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5677

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Dropper.Agent-6307740-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-6307740-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://www.iec.ch

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0177_001.js
4b024e23c65bfca25f3ae333f366444cecd6a5c9b6de4aa5317d59031ba7404c		 pdf-javascript-stream PDF /JS object 177 at offset 0xD7FC 125 bytes
javascript_obj0180_002.js
75de26c7269a06fc7825d89a4493e04c155efbc3d382c286d2ca06aa600a7a01		 pdf-javascript-stream PDF /JS object 180 at offset 0xD9F9 164 bytes
javascript_obj0181_003.js
d9b0adb46e43b8cd8f2eb61236ec7a0221ad24b9a1f7645cda6a8eab5b3017a2		 pdf-javascript-stream PDF /JS object 181 at offset 0xDAE2 71 bytes
javascript_obj0182_004.js
23848f82ba8dd1727256c379d74d46b173e4203c87038b552108fe1a31085ace		 pdf-javascript-stream PDF /JS object 182 at offset 0xDB66 226 bytes
javascript_obj0183_005.js
87df0063dd37411bf7c05daea98911845ff37309944eb19a3a431442ccb6b0c5		 pdf-javascript-stream PDF /JS object 183 at offset 0xDC91 123 bytes
javascript_obj0186_006.js
e7d2b044057b58674be0ea0c54e16627d204280bd51d432a58b60a9f0330023b		 pdf-javascript-stream PDF /JS object 186 at offset 0xDF2A 155 bytes
javascript_obj0173_007.js
548e830acb60b0693c1287a313d05733670f9866b62a498e4d2851f47f69d7f1		 pdf-javascript-stream PDF /JS object 173 at offset 0xBB76 2796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0179_008.js
72c2057e454a7b396f11686f58a7dfb1a3f5cdf0a6f3083f5b3095f3a2d66490		 pdf-javascript-stream PDF /JS object 179 at offset 0xD8F3 348 bytes
javascript_obj0185_009.js
47dcb0f74a1455cf5ab1be391b91fea4dd0f57a1ba23cc0302991a79c6f44034		 pdf-javascript-stream PDF /JS object 185 at offset 0xDD84 839 bytes
javascript_obj0188_010.js
137658fa3aca71ffe89611ab5a7e3145f16d99c4c39ee9d0da35be2e4e954e19		 pdf-javascript-stream PDF /JS object 188 at offset 0xE030 682 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0192_011.js
7e836de381f2f76b8ff329849b67b7900327d366bd492b589f305466c82424f1		 pdf-javascript-stream PDF /JS object 192 at offset 0xFA7A 1953 bytes
javascript_obj0195_012.js
43c00eb73bdfa495c4633d55e3dcf96f8075ab475973c6e113ca5ae00f777aff		 pdf-javascript-stream PDF /JS object 195 at offset 0x115EB 1920 bytes
stream_026_off0001311c.js
bb24839c735b75b5a17c5d1f306f9bfd75adf0eea4cd379fbd5a4e7df263cdc5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1311C 680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_028_off00014a91.js
1543e9aa82f174befe9cad258b5c79a1d678664173ad95e6844c24a1a8e03126		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14A91 594 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
icc_00_off00004f73.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4F73 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.