Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ae41f4fd4fc43e2…

MALICIOUS

PDF

106.2 KB Created: 2008-10-21 11:20:17 +02:00 Authoring application: Acrobat PDFMaker 7.0.5 for Word (via Acrobat Distiller 7.0.5 (Windows))
MD5: f33195938dccdcd3be5990ee1fb76f08 SHA-1: 324dc9ec06ab6b83d4aa9ad5df078a3cf8b1b1af SHA-256: 7ae41f4fd4fc43e2996cb3d597855f629d082fa7c6bff83e2a759107af0f28b8
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes eval() and String.fromCharCode, indicating an attempt to obfuscate malicious code. Heuristics and ClamAV detection strongly suggest this is an exploit targeting PDF vulnerabilities for client execution. The JavaScript functions appear to be part of a hashing algorithm, likely used to process or deobfuscate a payload before execution. No specific URLs or domains were found to be malicious, but the presence of exploit code and obfuscated JavaScript points to a downloader or dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5520

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-2174 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-2174
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://www.iec.ch

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0177_001.js
4b024e23c65bfca25f3ae333f366444cecd6a5c9b6de4aa5317d59031ba7404c		 pdf-javascript-stream PDF /JS object 177 at offset 0xD7FC 125 bytes
javascript_obj0180_002.js
75de26c7269a06fc7825d89a4493e04c155efbc3d382c286d2ca06aa600a7a01		 pdf-javascript-stream PDF /JS object 180 at offset 0xD9F9 164 bytes
javascript_obj0181_003.js
d9b0adb46e43b8cd8f2eb61236ec7a0221ad24b9a1f7645cda6a8eab5b3017a2		 pdf-javascript-stream PDF /JS object 181 at offset 0xDAE2 71 bytes
javascript_obj0182_004.js
23848f82ba8dd1727256c379d74d46b173e4203c87038b552108fe1a31085ace		 pdf-javascript-stream PDF /JS object 182 at offset 0xDB66 226 bytes
javascript_obj0183_005.js
87df0063dd37411bf7c05daea98911845ff37309944eb19a3a431442ccb6b0c5		 pdf-javascript-stream PDF /JS object 183 at offset 0xDC91 123 bytes
javascript_obj0186_006.js
e7d2b044057b58674be0ea0c54e16627d204280bd51d432a58b60a9f0330023b		 pdf-javascript-stream PDF /JS object 186 at offset 0xDF2A 155 bytes
javascript_obj0173_007.js
548e830acb60b0693c1287a313d05733670f9866b62a498e4d2851f47f69d7f1		 pdf-javascript-stream PDF /JS object 173 at offset 0xBB76 2796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0179_008.js
72c2057e454a7b396f11686f58a7dfb1a3f5cdf0a6f3083f5b3095f3a2d66490		 pdf-javascript-stream PDF /JS object 179 at offset 0xD8F3 348 bytes
javascript_obj0185_009.js
47dcb0f74a1455cf5ab1be391b91fea4dd0f57a1ba23cc0302991a79c6f44034		 pdf-javascript-stream PDF /JS object 185 at offset 0xDD84 839 bytes
javascript_obj0188_010.js
137658fa3aca71ffe89611ab5a7e3145f16d99c4c39ee9d0da35be2e4e954e19		 pdf-javascript-stream PDF /JS object 188 at offset 0xE030 682 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0192_011.js
7e836de381f2f76b8ff329849b67b7900327d366bd492b589f305466c82424f1		 pdf-javascript-stream PDF /JS object 192 at offset 0xFA7A 1953 bytes
javascript_obj0195_012.js
43c00eb73bdfa495c4633d55e3dcf96f8075ab475973c6e113ca5ae00f777aff		 pdf-javascript-stream PDF /JS object 195 at offset 0x115EB 1920 bytes
stream_026_off0001311c.js
bb24839c735b75b5a17c5d1f306f9bfd75adf0eea4cd379fbd5a4e7df263cdc5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1311C 680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_028_off00014a91.js
1543e9aa82f174befe9cad258b5c79a1d678664173ad95e6844c24a1a8e03126		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14A91 594 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
icc_00_off00004f73.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4F73 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.