Malicious PDF — malware analysis report

Static analysis result for SHA-256 790b020a6defa241…

MALICIOUS

PDF

1.76 MB Created: 2008-03-03 17:06:20 +08:00 Authoring application: Advanced PDF Repair: http://www.pdf-repair.com
MD5: 62dde1f33d9a72141ca1fc2802ac6a9f SHA-1: b6f30eecedfc4b7ca27057c1b6ab9ae562d3e66d SHA-256: 790b020a6defa24151f4d6e7dfdddd52b351220bebce2e93b3ca4e98d56c04db
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file exhibits multiple indicators of malicious intent, including embedded JavaScript with eval() calls and an embedded file. The primary mechanism for attack appears to be the embedded JavaScript, which is likely designed to download and execute a secondary payload. The presence of XFA form elements and the authoring application 'Advanced PDF Repair' are also noted, but the core malicious activity is attributed to the script.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js
d09b3f8531bbd0b9fb1a15b94dac709f7710e3e969ad94204049ce689fed2ee0		 pdf-javascript-stream PDF /JS object 38 at offset 0x151D 18155 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.