Malicious PDF — malware analysis report

Static analysis result for SHA-256 829c4166e08e7edf…

MALICIOUS

PDF

9.5 KB
MD5: 232ffee2575dfe77409cdbc228a8c2b4 SHA-1: d21cafde2130a9981f461705bf194c8777f59ebc SHA-256: 829c4166e08e7edff364b79f14dfa226b943c02d746a1f3e86082f00a452c4cd
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with multiple heuristic firings indicating obfuscation and execution via eval(). The use of String.fromCharCode() further suggests the script is designed to be difficult to analyze statically. While the specific payload is not directly visible, the techniques employed strongly indicate the script's purpose is to download and execute a second-stage payload. The benign URLs present do not detract from the malicious nature indicated by the JavaScript execution.

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000004ac.bin
4447bc3bf2370788a868beaf4e818cbde6061d04686c8a8695d700584551fe2b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4AC 4794 bytes
objstm_0025_00.bin
8b4886c9285fc6b8261233f8d1dcf8084b962d540a69034e522cf4fef3a5ceff		 pdf-objstm-decoded PDF /ObjStm 25 0 obj (inflated) 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.