PDF malware analysis — malicious · 82a54eb24ff554e9

MALICIOUS

PDF

25.4 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode

MD5: 46fa39e86bce56d26394b8d3a7088d64 SHA-1: 4f1e31eff434abb7bc89187aa04f1b69383391a4 SHA-256: 82a54eb24ff554e90459fc5a8bd24b7b90048b1369d0dc87c661697f61556695

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, triggered via metadata, which utilizes String.fromCharCode. This technique is commonly used to obfuscate malicious code, often serving as a stager to download and execute further payloads. The heuristics indicate a PDF metadata JavaScript eval stager, suggesting a downloader pattern.

Heuristics 4

PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER

PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `f72f2830e3f868e68e7019d23137611346c14ba1ea12e08565a21e0ee5257b79`	pdf-javascript-stream	PDF /JS object 1 at offset 0x62BA	519 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.