Malicious PDF — malware analysis report

Static analysis result for SHA-256 774b2e86add1b696…

MALICIOUS

PDF

520.7 KB
MD5: 76be76ffe15785f500abdaba97e3eeba SHA-1: 187017760826de8011fabe571e5731b8272fde96 SHA-256: 774b2e86add1b69658e8317f09f5b2ae8fec97b08eace933f27214c022c38d13
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a high-severity PDF_EVAL firing suggests that the JavaScript is being used to execute arbitrary code, likely to download and run a secondary payload. The PDF_JBIG2_ACTIVE_CONTENT heuristic also points to potentially malicious content within the PDF structure. No specific family could be identified, but the techniques used are common for initial access via malicious documents.

Heuristics 7

  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
bbcbd26b0f3954d80ea8c477e29c1612608da2085b5c3f96666c47470fa6e8b4		 pdf-javascript-stream PDF /JS object 9 at offset 0x802F8 7858 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.