Malicious PDF — malware analysis report

Static analysis result for SHA-256 90004b38610367ea…

MALICIOUS

PDF

26.7 KB Created: 2011-02-09 13:41:10 +02:00 Authoring application: Wiki Halal Loans (via mPDF 5.0)
MD5: 45fb1f636427883a747ebb2158d93d32 SHA-1: bf4a4478f6f698610068ffb797beaea8413daf46 SHA-256: 90004b38610367ea520846b785c327ba89714f186e285e7468e67997760fc63b
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript streams that are heavily obfuscated using hex escape sequences. The heuristics indicate that these scripts are designed to download and execute further malicious content. The obfuscation suggests an attempt to evade detection. Due to the obfuscation, the exact payload and delivery mechanism cannot be definitively determined, but the intent is clearly malicious.

Heuristics 4

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0022_000.js
357d06d70777f397a54fd04180a5ee36f36a8ec5c7cbbafdfab41f20901b25ac		 pdf-javascript-stream PDF /JS object 22 at offset 0x643E 136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
javascript_obj0022_001.js
607a0753f2d28ea7a383d2e729ee9a1eeb69db22eafb74fa3e1d444ae047c123		 pdf-javascript-stream PDF /JS object 22 at offset 0x643E 134 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.