Malicious PDF — malware analysis report

Static analysis result for SHA-256 94fd2e9aa07c893c…

MALICIOUS

PDF

959.5 KB Authoring application: Adobe Illustrator 11.0
MD5: 4a13079e984a6c49ae0123cdef2043dc SHA-1: da2c71155fe67535043053bcda71fff7f41130dc SHA-256: 94fd2e9aa07c893c942fbafaabf67307ca4c3bafb8230a5f2da57cbb982c37df
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF file contains multiple embedded JavaScript streams, several of which utilize obfuscation techniques like eval(), unescape(), and String.fromCharCode(). The presence of a U3D/3D content vulnerability indicator (CVE-family) suggests the JavaScript is intended to exploit a flaw in Adobe Reader's 3D parsing capabilities. The primary goal appears to be the execution of a malicious payload, though the exact nature of the payload and its delivery mechanism cannot be fully determined due to the obfuscation and truncated nature of the extracted scripts.

Heuristics 9

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 28

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0256_000.js
944051d30594ca6efe0954bd229ef0dff7411d1d69c5df07ab95a0bd8a667340		 pdf-javascript-stream PDF /JS object 256 at offset 0x3EF71 205126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_036_off00026b35.js
15c4a9fcb8bc8fe324ee0e3d3fbbb245de27f64edba04eb77d3ad86fad4f3bff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26B35 22268 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_037_off00027bde.js
8318cfbb06a989fbf9e85a57016222466e46af8ad73bfeaba24d2a84f97e6481		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27BDE 17945 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_038_off000289c9.js
b89d1dc94c6752251533a68dbbbff2e3664eb8f8ec1eae658c84d61abf6b272e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x289C9 10321 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_042_off0002b108.js
d8f14cfafa3c03678e5ff35f701bdd62552412ced26fc79fc2950e1670eb1106		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B108 7147 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_043_off0002b87d.js
4015e032519fe09c2125cd1c8b0afe77cb0b1ebb4b901fd3ce95443d03d0e440		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B87D 2656 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_044_off0002bca9.js
6b90b88c18883c688269f08c79fa872098622d3f019c36db3551651baf370f70		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BCA9 10670 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_048_off0002e169.js
85e818c3e948c1ba3c1bd21fd1a336ab5e0aa057068ee54fbb39f50cfacf99b9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E169 7394 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_049_off0002e8fb.js
24da1f1fe8bd43c35d2681ffed6b729b22882f60c72d739751808aa04d27cdca		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E8FB 2758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_050_off0002ed28.js
d12c1ba8623a48297c3120c2d1075cd786d812ec68ef5dcd78d0acd5eb98d1f0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2ED28 10467 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_054_off00032280.js
90114c0d3b099b78b3901483d819fd961f54ceee50f637f9b96cc2d8756ae4ce		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32280 7420 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_055_off00032a37.js
e74b886445cd2b2b72eaa85280d69d39cfeea997437ef83969d83510cff2b7ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32A37 2532 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_056_off00032e28.js
b0ced4c0736652e87d948f9a258d89a25115c72efc25bc905a10f9ffe15386c1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32E28 10189 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_060_off00035287.js
bbe5462dff538e4c762b844ae26be18d05ea1ba04dcd3555421dab8f834e2065		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35287 7138 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_061_off000359ca.js
05257e8805c2fd9de9e0dd76497b1ddc1f27bd657af0465843d552cb5b559df3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x359CA 2536 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_062_off00035db7.js
cdf262cc54dbd21f64c550849a95d856876ecb3d8f60b9f4d3e7af1472662455		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35DB7 10492 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_066_off000380e8.js
251f202a2f48f4cf50dbe7ad008ece1d683ff823af1199db78ab81c3409e6bda		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x380E8 7180 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_067_off0003884d.js
0a8ebb1f6423e7516ad1ce66bfe63b45a9177edb1d9f14cc972f83bd0cc53716		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3884D 2795 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_068_off00038c6b.js
dec9c1ab3410769e817610e212fac1ee6a59b7acdf409a4e4007d48fc0a6592b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38C6B 10487 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_072_off0003b399.js
b82a9be713f15e49297f6c2a57c55f9eb8925fac72ab69df6958f946fffc2932		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B399 7445 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_073_off0003bb52.js
00616f2ee7537947cade8eddb9c713970aa17d256789346ecfc610bd48e5ba7e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3BB52 2524 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_074_off0003bf49.js
7c8f5045f1a9cbc3c4972b920d5459cbf9d8f1ea8faff72df5d910cc73dae60c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3BF49 10440 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_078_off0003e263.js
83da19540fe1155419c9447af6746e3d22d54e164830fa31ef79da4d7bcde0b4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E263 7177 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_079_off0003e9eb.js
1bcdd99a74e80832caef99dc35bd9582f111818bd03f16dc035ffea0348ad9d5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E9EB 2748 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
objstm_0267_00.bin
0b0d272b75744fd65991a38e8edb55466d01fd4d5d2b1b775dca99da7e73f4d9		 pdf-objstm-decoded PDF /ObjStm 267 0 obj (inflated) 524 bytes
objstm_0268_00.bin
b14cf8625cf28a62dd3ffa238b71372931928293b97cb4018cae9e713c2ab27e		 pdf-objstm-decoded PDF /ObjStm 268 0 obj (inflated) 3871 bytes
font_00_sfnt_off000010ef.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EF 79301 bytes
font_01_cff_off0000ed7f.bin
ff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9		 pdf-font-stream PDF embedded font (cff) at offset 0xED7F 1558 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.