Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bf6fe411636cf15…

MALICIOUS

PDF

2.0 KB
MD5: 848df859ab01afb8d61b35398e551209 SHA-1: 48d744b5b2a75128f3b0fa63171530c70283af06 SHA-256: 8bf6fe411636cf153e97a6952856fb74f07097352b79d3deb8b6bb356a7e2cba
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains an embedded JavaScript payload, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic and the presence of a decompressed JavaScript file. ClamAV also flagged this file as malicious due to obfuscated objects. The embedded script is the primary mechanism for attack, likely designed to download and execute further malicious content. Due to the obfuscation and lack of specific script content, the exact payload and delivery mechanism cannot be definitively determined, leading to an 'unknown family' classification and moderate confidence.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0000005b.js
a53bea94f97b75316e2971ac8eb4834ed81e4e777d927cff2f96603015c29ce4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B 2028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.