Malicious PDF — malware analysis report

Static analysis result for SHA-256 947faca180fca3db…

MALICIOUS

PDF

59.5 KB
MD5: 9675985233458f8d67e7933c7d602c5c SHA-1: dd72ec01b53f5354443dcc24f5a433268fb42a1a SHA-256: 947faca180fca3db94e572017409e715483be3713041bf8cf85b19a494b1b2e0
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains multiple high-severity heuristics indicating JavaScript execution and potential exploitation. Specifically, PDF_JAVASCRIPT, PDF_JS, PDF_EVAL, and PDF_UNESCAPE all point to the use of JavaScript within the PDF. The PDF_RICHMEDIA heuristic suggests the presence of Flash content, which can also be used for exploitation. An embedded file, 'embedded_file_obj0003.bin', was also extracted, which is often used to deliver secondary payloads. The benign URLs present do not detract from the malicious indicators.

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0003.bin
f0156a5c9cfac0444d237fb92b5b9731faaa34f807b3d583c1b88283feefed46		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0xCA2 26804 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
objstm_0019_00.bin
04a3e24da39ac97adbe306218caaf47c75da93853fac507d5c50c3db4596a756		 pdf-objstm-decoded PDF /ObjStm 19 0 obj (inflated) 4374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.