Malicious PDF — malware analysis report

Static analysis result for SHA-256 9420c4873592b022…

MALICIOUS

PDF

11.2 KB Created: 2010-12-26 18:41:07 +03:00 Authoring application: D_anMo (via 544defa)
MD5: 6a19e6df36d40a0e455406473301b769 SHA-1: 196f589c57bce82b5e4d9cecf97d0757c575038d SHA-256: 9420c4873592b02278ede1f55af5b85616f744486efc85f23c3b19055f040aa2
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains multiple embedded JavaScript streams, with several triggering heuristics related to JavaScript execution and obfuscation. One heuristic specifically points to an eval() call, indicating dynamic code execution. The presence of these JavaScript objects suggests the document's primary function is to leverage these scripts, likely for downloading and executing a secondary payload. The document body is unreadable, so the rationale is based solely on the script-related heuristics.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
338ce9f135aae948b37227a003cad4e77453612910582f169fd68eb445847f97		 pdf-javascript-stream PDF /JS object 11 at offset 0x2365 1186 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
b0f7410eb45c7da3a4382499f0edb52ee8fb1f064913fda3f2f60c18ecb79df6		 pdf-javascript-stream PDF /JS object 13 at offset 0x2607 492 bytes
javascript_obj0015_002.js
6ffb0090fbe2df8b2be872d1ac1161ca87b2cc21c53c37702b9483d07e873a8a		 pdf-javascript-stream PDF /JS object 15 at offset 0x279F 124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.