Malicious PDF — malware analysis report

Static analysis result for SHA-256 952bd7bc0de6bc34…

MALICIOUS

PDF

371.0 KB
MD5: 29046f833733c36d23a6076ece9b89b8 SHA-1: 8eb138fd302cb6eeff2f88de663aebd091d1a3d5 SHA-256: 952bd7bc0de6bc342696c9482e515ebb12f481850a6109d2cad7bf1450c735e5
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file contains embedded JavaScript and is configured with an OpenAction trigger, indicating it's designed to execute code upon opening. The presence of a JavaScript stream and the ClamAV detection as 'Pdf.Dropper.Agent-7140481-0' strongly suggest this is a dropper. The embedded JavaScript likely attempts to download and execute a secondary payload. The heuristic 'SE_CALLBACK_LURE' also suggests a potential callback phishing or tech-support scam pretext, though the primary mechanism appears to be code execution.

Heuristics 8

  • ClamAV: Pdf.Dropper.Agent-7140481-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7140481-0
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.InsiderSoftware.com/fontlist/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
45908dd8c513f182d7e7ef79360ebb3c04a21a99f4e8c5e99c7a70c33797d582		 pdf-javascript-stream PDF /JS object 5 at offset 0x2616 19881 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
icc_00_off0004240c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4240C 3144 bytes
font_00_sfnt_off0000447d.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x447D 62160 bytes
font_01_sfnt_off0000d8d3.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8D3 71216 bytes
font_02_sfnt_off0001a92e.bin
8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A92E 11156 bytes
font_03_sfnt_off0001c8df.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C8DF 37232 bytes
font_04_sfnt_off0002372c.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2372C 46764 bytes
font_05_sfnt_off0002bfa7.bin
95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BFA7 22628 bytes
font_06_sfnt_off0003803e.bin
6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3803E 32640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.