PDF malware analysis — malicious · 90ecf7674fc7d19b

MALICIOUS

PDF

MD5: 3e8e13c005e768cf2f7677447a117b21 SHA-1: e4462352855eade062cb502e3b4d4e95578b206c SHA-256: 90ecf7674fc7d19ba18cbb3f56bc968ed3028d60f6e0145137c387ab743e7721

226 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript that is triggered by user interaction, indicated by the 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics. This script is likely responsible for extracting and executing an embedded payload, as suggested by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' and 'EXTRACTED_FILE_STATIC_TRIAGE' firings. The ClamAV detection of 'Doc.Downloader.Jaff-6329915-0' on both the main PDF and an extracted artifact further confirms its malicious nature as a downloader.

Heuristics 8

ClamAV: Doc.Downloader.Jaff-6329915-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Jaff-6329915-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`IOZHB7OM.zip` `903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x869	116 bytes
`0.docm` `f4632ca7e63bdb96ee9d6fb0c4bcb558b69612fff5c8771ff8489d18fb1dfe1d`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x9BD	11370 bytes
`1.xlsx` `95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2`	pdf-embedded-file	PDF EmbeddedFile object 12 at offset 0x2CDA	7723 bytes
`IOZHB7OM_1.txt` `ae69660947d7d77b7c7497cc51d4be19c66a98e38374b6dea8a7e3bea99021dd`	pdf-embedded-file	PDF EmbeddedFile object 14 at offset 0x42F8	260 bytes
`IOZHB7OM.doc` `8cfca61eef80629ad427fa38cfcc3c25cde418d601394ecdf38f05c697fb0b8f`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0x44EB	94208 bytes
Detection ClamAV: Doc.Downloader.Jaff-6329915-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`javascript_obj0018_000.js` `6f407a699069ccaa625b1b953f7f244f66b1553f97ddeac7459113a2c93a8242`	pdf-javascript-stream	PDF /JS object 18 at offset 0xDDF6	126 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.