Malicious PDF — malware analysis report

Static analysis result for SHA-256 97d0d68d1be97436…

MALICIOUS

PDF

336.3 KB Created: 2006-04-24 14:53:59 UTC Authoring application: PScript5.dll Version 5.2 (via FDFMerge 5.0.4 Linux 7 SPDF_1096+ May 3 2004)
MD5: 90895a80840b64a06733084773776a7c SHA-1: b064bb973d6946837a6fa1d042f688e3d778a1c5 SHA-256: 97d0d68d1be97436ed38c7e089706b7ea4a474c4b43f3a15c592659a4696f2a7
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple JavaScript streams, with one particularly large stream (javascript_obj0021_007.js) indicating complex or obfuscated code. The presence of PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL heuristics, specifically an eval() call, strongly suggests that the embedded JavaScript is designed to execute arbitrary code. This execution is likely intended to download and run a second-stage payload, a common technique for malware delivery. The obfuscation indicators further support this assessment.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0158_000.js
9ce8e999a7f077bf80b8be89d07d5ff68632cae2aa595a4d7844509360f837e2		 pdf-javascript-stream PDF /JS object 158 at offset 0x4DD10 55 bytes
javascript_obj0161_001.js
73e83df5dcb45dc9bd4e213fc19b421b9a63f7a9ed1ee55ff111dd894f4547b0		 pdf-javascript-stream PDF /JS object 161 at offset 0x4E063 72 bytes
javascript_obj0168_004.js
b49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233		 pdf-javascript-stream PDF /JS object 168 at offset 0x4FA0C 33 bytes
javascript_obj0020_006.js
c7c78022d4d68df1c6d5823fff77aa65840b148e3779f50598ae1f4204228e49		 pdf-javascript-stream PDF /JS object 20 at offset 0x27B7C 953 bytes
javascript_obj0021_007.js
f73818a4f4923d902e721dcd73a34348991f5c3b0042c5e39fec025056106405		 pdf-javascript-stream PDF /JS object 21 at offset 0x27D41 5005 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_006_off000186ab.bin
f8b5634482dabaf0040161953b708d7648a1dc1459beb6e63bf997bafb4818f7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x186AB 107773 bytes
stream_043_off0004b815.bin
0a165ab3795ff2e8a147401c2a0430d30efe0a4e75a3d6091ec89324454faad8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B815 30627 bytes
font_00_sfnt_off000030bb.bin
cc4306895cc9c95ea88222838b79fc2d701926d2218b1c0cf16f96cd5307c526		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30BB 35680 bytes
font_01_sfnt_off00007b02.bin
57244fb0cef40aa8a9ae8e4ef3cacd38c5e226ea12007795d7a7479e6a0e5ef7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B02 20508 bytes
font_02_cff_off0000986f.bin
2b477611defd46cc7a97c2db1525972cd346212a8b56450a0bbea906ed49cd12		 pdf-font-stream PDF embedded font (cff) at offset 0x986F 1100 bytes
font_03_sfnt_off00009f66.bin
b169d256fd9d8d18305e6b0e92ffe9a2020765447a6abd6610452f1514b4ec93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F66 89913 bytes
font_05_sfnt_off0002bedd.bin
8822adae4140ddd67ff121d14aa9d6068c461576cb57ed1ec4f496a4560f2fc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BEDD 77789 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.