Malicious PDF / .TMP — malware analysis report

Static analysis result for SHA-256 91d5569d7186a90f…

MALICIOUS

PDF / .TMP

1.95 MB
MD5: 6494ff894dcc12a9a3b9736dd84dc45d SHA-1: 81fc81cca332bc0f1fd73e4945a80c1dc8707a70 SHA-256: 91d5569d7186a90ffb597c919c9346181996b3d7b0a85e0ad8402c66906295db
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1553.005 Mark-of-the-Web Bypass

The file is a PDF containing embedded JavaScript, which is a common technique for delivering exploits. Static analysis detected multiple JavaScript-related heuristics and a critical finding indicating a secondary embedded PDF with suspicious static findings. The ClamAV detection 'Heuristics.PDF.ObfuscatedNameObject' further supports its malicious nature. The embedded PDF artifact is the primary IOC.

Heuristics 5

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
polyglot_child_pdf_off00001442.pdf
8d2e014bdd4ecb2e566a904a7018c4245ae7ecc7ea2b432e01c6d7fc260d6b81		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1442 2042814 bytes
Detection
ClamAV: Heuristics.PDF.ObfuscatedNameObject
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.