Malicious PDF — malware analysis report

Static analysis result for SHA-256 83e51be4301cef0e…

MALICIOUS

PDF

300.6 KB
MD5: 250d00be7bbd8fcc4fee3af17cf605e5 SHA-1: 5d0fab393ca3e9cb22291f7d9c4968099497c129 SHA-256: 83e51be4301cef0ec7cd471e8fd7f456530017e1e610906f12fa20c8ee60133e
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript and a critical heuristic firing for an embedded PE executable payload. The JavaScript stream and the embedded executable are the primary indicators of malicious activity. The presence of these components suggests the PDF is designed to download and execute a second-stage payload. The ClamAV detection further supports the malicious nature of the file.

Heuristics 6

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
2b74c7c7b7b2397e534dc2286308428c08f5c8396eecb75af45057ab17bb0204		 pdf-javascript-stream PDF /JS object 12 at offset 0x4A24D 5143 bytes
stream_000_off00000337.bin
3d68b6c65f2aff682ee36830025e4b0bbc1d6190719567586d71e5b17223b3fc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x337 525856 bytes
embedded_pdf_0002cd45.exe
134290aa3b149f9e74c1f654ec13eb88ed554418fb8a3698b7f05058966f4d61		 embedded-pe PDF decompressed stream PE payload at offset 0x2CD45 343058 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.