Malicious PDF — malware analysis report

Static analysis result for SHA-256 938eb19d538df117…

MALICIOUS

PDF

258.2 KB Created: 2010-04-21 00:46:53 +08:00 Authoring application: Adobe Acrobat 9.3.2 (via Adobe Acrobat 9.3.2 Image Conversion Plug-in)
MD5: 77c4fbfc8970d7bd11085617942e16c1 SHA-1: f5ebcca7c8d38717653e11e131114b4313de5b93 SHA-256: 938eb19d538df117249c46fd97c2a6593d26bb4deea5da8f5fc9b0b38d67effc
186 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and Flash content, indicated by PDF_JAVASCRIPT, PDF_JS, and PDF_RICHMEDIA heuristics. ClamAV detection (Pdf.Exploit.Agent-35955) confirms its malicious nature. The embedded JavaScript and Flash are likely used to exploit a vulnerability and download a secondary payload, as suggested by the extracted artifact names 'javascript_obj0011_000.js' and 'pad.swf'.

Heuristics 7

  • ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
pad.swf
c8a20e8ded0e5fe8a6a5cddff2408ac7f8a83df3f18abea5748cc817f3a3ebb9		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x10F 26810 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
javascript_obj0011_000.js
e8f5d8f2ef38ed2de1948a2423257a50d6db6e6a3121fe4019594411e6913d51		 pdf-javascript-stream PDF /JS object 11 at offset 0x6E79 2617 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.