Malicious PDF — malware analysis report

Static analysis result for SHA-256 83f25ef52e725e28…

MALICIOUS

PDF

2.86 MB Created: 2006-11-07 11:38:03 -07:00 Authoring application: Adobe Illustrator 11.0 (via Deep Exploration 5 5.0.5.1846 Release)
MD5: 9260e39e449deda31dcdad6da5ee7d7f SHA-1: 6f2aa4b2d58a5bd1d394820f49995f454ed27eff SHA-256: 83f25ef52e725e286d29c2aebe416c9812470c9a1e6b9cde25f970f910d7dc44
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicating obfuscated code execution. The presence of U3D/3D content and related CVE indicators suggests exploitation of a 3D rendering vulnerability. The script likely downloads and executes a second-stage payload. The benign URLs extracted do not provide further clues to the attack's nature.

Heuristics 10

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0052_000.js
48a78f4b219b11d13eaa65d056367b72b36cbf9d9c594d8f9863c7d1b656fdb3		 pdf-javascript-stream PDF /JS object 52 at offset 0x1EB51 241065 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_013_off0001cb11.js
ebed4506b65abe19fbdb5dbfed083d11e159c3c0fd5858d07c7dae9c76556f35		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CB11 21908 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_014_off0001dbdc.js
a9cc20b5f807a27c79c4e4f4250698867f10a7c6c3753197a600f17b57955848		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DBDC 17602 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_016_off0002acf5.bin
ec1aa9b1b1f460f693aeeaac328f1cf0efcf919064a1506780633f657ae581de		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2ACF5 3367096 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.
stream_017_off00270ce1.js
4d2f3e0167f3da30aee4ca4a20dd427dad359d07bcfb6227a94bb1fa7d97142c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x270CE1 151466 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0073_00.bin
83b7c3532142a006798261e590cc739a036441fe3700cc98cd561163af864e91		 pdf-objstm-decoded PDF /ObjStm 73 0 obj (inflated) 520 bytes
objstm_0074_00.bin
290b8c25166634fcf7a622f11fcc7b80af062672030b70fb73f854f2ffdacd8b		 pdf-objstm-decoded PDF /ObjStm 74 0 obj (inflated) 1019 bytes
objstm_0085_00.bin
fd6fb9a6c98b830c4299144fc762348ca065cced5a5c58d1d154266a0c6071e2		 pdf-objstm-decoded PDF /ObjStm 85 0 obj (inflated) 224 bytes
font_00_sfnt_off00000ef8.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF8 79301 bytes
font_01_cff_off0000eb4b.bin
ff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9		 pdf-font-stream PDF embedded font (cff) at offset 0xEB4B 1558 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.