Malicious PDF — malware analysis report

Static analysis result for SHA-256 86d4a58288f577ef…

MALICIOUS

PDF

955.9 KB Created: 6/9/2005 12:9:57 Authoring application: Adobe Illustrator CS2 (via Adobe PDF library 7.77)
MD5: d2433f159c49245193543ae3d1024494 SHA-1: c05d7552ccd0f57f1b60ffdd72f99d95a29b81d9 SHA-256: 86d4a58288f577ef043817c42251344f36fe73d641125c2ecac82dd3704642d5
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript, including calls to eval() and String.fromCharCode, indicating an attempt to obfuscate malicious code. The presence of a U3D/3D content indicator related to CVEs suggests exploitation of a vulnerability in Adobe Reader's 3D parsing. The embedded URL 'http://demo.kaon.com/advisor/index.html?mode=consumer' is likely used to host or redirect to a malicious payload. The script's primary intent appears to be the execution of arbitrary code, potentially leading to further compromise.

Heuristics 8

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://demo.kaon.com/advisor/index.html?mode=consumer
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0095_010.js
cb0b3d4c5f194e021b9a0221da3eb5e452e0eca53b84aa0f617c46eec75a9684		 pdf-javascript-stream PDF /JS object 95 at offset 0x27F28 33 bytes
javascript_obj0100_011.js
578aed31eeb16c7d5addb14deabb33c6d1ff616db3cf6757e3c42ed2a6f5cd20		 pdf-javascript-stream PDF /JS object 100 at offset 0x28D61 32 bytes
javascript_obj0105_012.js
ef3ea8a689375d1da4f1dc9d6cd8cab6faef31e75fc06dc5a4a8f1b59794f706		 pdf-javascript-stream PDF /JS object 105 at offset 0x29D36 33 bytes
javascript_obj0052_018.js
49468814c0e3bc5d99f805eae5a4e94dec11a5a0f91725d1c090bc2c107227fc		 pdf-javascript-stream PDF /JS object 52 at offset 0x20621 41133 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 eval/decoder/string-building token(s).
stream_020_off0002d9ec.bin
a9f6dd82a34e8696e7f646136f73f2f1af478170043fafa3c4c55a0915d5a82c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D9EC 810652 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
stream_021_off000cc23b.js
9246d57269b0f07f749ba2f344ab7f5640310bc4d5c97e8e5ae89cf81fef5ed4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCC23B 133712 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.