Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cb997602d7dbe25…

MALICIOUS

PDF

985.1 KB Created: 2007-03-23 11:58:44 +11:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 6.0.1 (Windows))
MD5: 765b9e5fbb5542b19c8ccb9ddd7e334a SHA-1: 6bb0b93130f64490adc04268f9ea387d3326aa3a SHA-256: 8cb997602d7dbe2521673c19b93842f35430dbef178c466ce30eb9348f7b0f72
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), and PDF_FROMCHARCODE indicates obfuscation techniques. The embedded JavaScript stream, named 'javascript_obj0089_003.js', and the embedded file 'PM.joboptions' are suspicious. The script likely downloads and executes a second-stage payload, but the exact URL or payload could not be determined due to obfuscation.

Heuristics 8

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 24

Files carved from inside the sample during analysis.

FilenameKindSourceSize
PM.joboptions
5cf97cfee76c3bcd5d889b3138e05d6571e7d097b173dd3eee4be6813c9dd743		 pdf-embedded-file PDF EmbeddedFile object 228 at offset 0xD286A 12758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
javascript_obj0089_003.js
13070c62a8cea3969dde7717006dfd3172e2eb81fd36430d843c743ad0010f65		 pdf-javascript-stream PDF /JS object 89 at offset 0x4A1D 5778 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_049_off00098056.bin
3a3bdb3024c1c7594b559a72219d0970fadb562266d5620594292cb6bda46799		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x98056 16457 bytes
stream_092_off000ed6cb.bin
bb57daef6a5f16139569fd25beec82cabc19b43c498f92b4d5f2c51559875a9b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xED6CB 5325 bytes
font_00_cff_off000d9e57.bin
9abe7060e90ed8be0e1fec89f1a019fbf867283cef4a0debc8b191766beade71		 pdf-font-stream PDF embedded font (cff) at offset 0xD9E57 6674 bytes
font_01_cff_off000db4cd.bin
5c65942f428492c8abc256a1873d1c3e2795d1bdc0e855d06c3532e46e69d4e2		 pdf-font-stream PDF embedded font (cff) at offset 0xDB4CD 11628 bytes
font_02_cff_off000dd902.bin
b2c1727f677ffe3dfec9efc001de8c5e4faaa3b9664b51f9075150e21b3e2697		 pdf-font-stream PDF embedded font (cff) at offset 0xDD902 1739 bytes
font_03_cff_off000ddf89.bin
89a4a8dda94376ff41fc66e14938d1343aae1e52401ab0c1ca7dc87b05705dd7		 pdf-font-stream PDF embedded font (cff) at offset 0xDDF89 344 bytes
font_04_cff_off000de12f.bin
f290febfe9f86dbc8eebd9f05545249d120076d2494b0c17e6fd694db951db59		 pdf-font-stream PDF embedded font (cff) at offset 0xDE12F 5427 bytes
font_05_cff_off000df240.bin
23cc21031d2e5d14daedc236dbf5dda61ff77b869762958f56d5e8c74c924d90		 pdf-font-stream PDF embedded font (cff) at offset 0xDF240 4550 bytes
font_06_cff_off000e0201.bin
732ee10c168e303c1c43016af0a795812870fafae85fd701e4462ab7be39ec74		 pdf-font-stream PDF embedded font (cff) at offset 0xE0201 10989 bytes
font_07_cff_off000e2436.bin
286024b2e1c1cf26dbb20d06dcf67216d33dcddd65487a7c969bfed5d83890b1		 pdf-font-stream PDF embedded font (cff) at offset 0xE2436 3765 bytes
font_08_cff_off000e30cc.bin
c0e3eb9477d2098a35ea52b3a3d44bd668bc8647f27d8d0b5e6717fabbce04e2		 pdf-font-stream PDF embedded font (cff) at offset 0xE30CC 5981 bytes
font_09_cff_off000e459f.bin
d8091add2fe5839ae7d6819262ab968261e71c56c89e4c76b50e6d955c781a91		 pdf-font-stream PDF embedded font (cff) at offset 0xE459F 8710 bytes
font_10_cff_off000e61d4.bin
72e8655da6974c1a005ce24079cd80acad9bc4c95c6e0d465a85f1bcb433e5e0		 pdf-font-stream PDF embedded font (cff) at offset 0xE61D4 146 bytes
font_11_cff_off000e62b9.bin
7f5f582bed9380cd2704c3d17a78a339fe597f922bcab47428620dc64c1ea86e		 pdf-font-stream PDF embedded font (cff) at offset 0xE62B9 3834 bytes
font_12_cff_off000e6f8f.bin
2a0957fc9e4ec2619aaea996482308e1547550ad838f9858471cced9d07aec4f		 pdf-font-stream PDF embedded font (cff) at offset 0xE6F8F 3282 bytes
font_13_cff_off000e772e.bin
0747bf0982ce38a787d73551ee531011328d6483fa745e3e9c436d086fad9cb6		 pdf-font-stream PDF embedded font (cff) at offset 0xE772E 20543 bytes
font_14_cff_off000eb2cf.bin
f77b47d6881cc9918e03da6250e4bddd966705c75b72243401299b6b47a402e7		 pdf-font-stream PDF embedded font (cff) at offset 0xEB2CF 12390 bytes
font_16_cff_off000ee7da.bin
93aec3901c615fe223cf0d1b99089b90c4496b5ef5d998ccb525b4a8cd4e74c2		 pdf-font-stream PDF embedded font (cff) at offset 0xEE7DA 4326 bytes
font_17_cff_off000ef7b6.bin
3a5dfd1f9eb957ee039d7e49012a41e76f45cd3b6760f556ad86e9f90ac05c20		 pdf-font-stream PDF embedded font (cff) at offset 0xEF7B6 5038 bytes
font_18_cff_off000f0972.bin
3d35cd988b24f9766e76ac72688f03029298df676e285947740e08506d26434e		 pdf-font-stream PDF embedded font (cff) at offset 0xF0972 2382 bytes
font_19_cff_off000f2be7.bin
6a315c4e6a74aa87bbe309ebbd49ffae0379b12994da202552ac98107857a98f		 pdf-font-stream PDF embedded font (cff) at offset 0xF2BE7 8350 bytes
font_20_cff_off000f4576.bin
93adbde5569c00297551e68ebd8f09443ed004df2653137c81efc7951c2ba93a		 pdf-font-stream PDF embedded font (cff) at offset 0xF4576 1729 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.