Malicious PDF — malware analysis report

Static analysis result for SHA-256 985f7cc8082a7b00…

MALICIOUS

PDF

909.6 KB Created: 2012-12-28 11:22:48 Authoring application: 写真の印刷ウィザード (via Acrobat PDFWriter 5.0 Windows NT)
MD5: 8d506cde4b55d0c9ed1dedb922312c24 SHA-1: a400edbed3fed7f96c4bbc0511cb38833db53549 SHA-256: 985f7cc8082a7b00f6189ab1fa79014751d632018ea3ca8ca05173d507b08440
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF contains embedded JavaScript, which is further obfuscated using eval() and unescape() calls. A secondary embedded PDF also exhibits suspicious static findings. The presence of JavaScript and obfuscation techniques suggests the execution of a malicious payload. The document body contains what appears to be obfuscated code or data, including the string '10.0.1.434', which is included as an IOC.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
49a03404f62578b79b00a01dedd085272275c359996e0e8fe546f4745ccc7bba		 pdf-javascript-stream PDF /JS object 1 at offset 0xA 67070 bytes
stream_000_off00047995.js
1666ae55339dcc2f44f7e45ebefb0e0ee34e0475907a7914062ceec5ec71dfdf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x47995 220128 bytes
polyglot_child_pdf_off000bdf75.pdf
1edaad8a7963aa462797a2c550ec037b53eb626aa2140f6855011519dfc00519		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xBDF75 153342 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.