Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e69a076c4394c29…

MALICIOUS

PDF

759.1 KB Created: 2006-11-07 11:38:03 -07:00 Authoring application: Adobe Illustrator 11.0 (via Deep Exploration 5 5.0.3.1555 Release)
MD5: 1aafba1355b0b42011cb5574d8d03e9b SHA-1: f1aa6f1f20120111d497e78cb4e042647c0302f5 SHA-256: 9e69a076c4394c297ae3a5ce026cfd7e0d4e79221f915c6f177d43d3789233f3
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript that utilizes eval(), unescape(), and String.fromCharCode() for obfuscation, indicating a malicious intent to execute arbitrary code. The presence of U3D/3D content and related CVE indicators suggests exploitation of a PDF viewer vulnerability. The script's obfuscation makes it difficult to determine the exact payload, but the techniques used are consistent with a downloader or exploit delivery mechanism.

Heuristics 10

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0222_000.js
6fe1aee940a60481b76042dc9beb9a172cf5ba4c46f0197f3f60830a22e26d08		 pdf-javascript-stream PDF /JS object 222 at offset 0x38193 189179 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_033_off00025da9.js
83f0e3117230a4942827ef354efb831d505f83a1546ceb7cbd336b12cb2a5942		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25DA9 22212 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_034_off00026e46.js
f8b13a3863af702dcd7e3941443dec10025d7a2a53f54e108dfaf2b8e3f2695f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26E46 17918 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_035_off00027c1a.js
67fdedd6cb9a0e0b6e0eaba2f238ca5c983512f99a2092d586e4edea586be475		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27C1A 10626 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_039_off0002a375.js
e268c3fa8753a7b53b3db467a54c42b8f9036543a6f7b6d4f1d02ccd59df16d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A375 7253 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_040_off0002aaed.js
77066a7a37b3af6ad53791d7f9457b7dfed3a8d84d4feaa7031d8ae355636408		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AAED 2855 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_041_off0002af12.js
a1069b624d829f9ed15ef9dc70c98d2a23233bb0b080385f34e121a533ca365a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AF12 10387 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_045_off0002d3a4.js
09a1f6366bade2c781cbaf923095ea7085f8de7adb3a8c0b0b708123787b545f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D3A4 7240 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_046_off0002db2b.js
962623957d02896ce50ac303e11139789b7c547ef6f635834872fbf3a740a5c4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DB2B 2629 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_047_off0002df38.js
252ea1aa6e45985d77ac5ab2582980690ed57e9f198ae81a80a56806c03a8ae3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DF38 10231 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_049_off0002f7b0.js
9796998ca2c32756bf181ff5f4a60580d6fd55561b2050ddebc355d20055f667		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F7B0 7036 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_050_off0002ff25.js
2a7255a2847947efcf8ff75cb73e57c1238de0b56ef725e3acb574238a620505		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2FF25 2680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_051_off0003033c.js
34e199a7c93f33d1bb6f18620c86cff5d7bc5c68e1809e942ed0f3c0dc1515f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3033C 10563 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_053_off00031685.js
12da33232a02682161413374f6f05c0210833edfde1a8ef6373b058eab29c831		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31685 7349 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_054_off00031e2f.js
e35d38f817cd62db5a1f4554fb99f1e4ac0bd5e7e17c19dc1ad0afd56261c2cd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E2F 2699 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_055_off00032242.js
f99b25026b97bbf0ee754128febcbd6731b4870a0b207a825858361537edb519		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32242 10656 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_057_off0003350e.js
f61d6d78585bf688bcd9976ab48d95b3ceeff76f145e26142d53f0c3f6f91422		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3350E 7516 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_058_off00033cb9.js
835ae1930debae0ff9f45f4d3af42c9838d14fc0ce7262bdf9b42f507a2f12bb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33CB9 2623 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_059_off000340c9.js
0d67705a6bb1b0b689ce8dc5c8e2647f9ac5b389b7b962dac06623e78c805ec9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x340C9 10376 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_061_off000354ce.js
f1b809fcabd36a7b044d90b6113a89fff86070ac264f8499b1c49f20c8e11036		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x354CE 7139 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_062_off00035c6c.js
8cf818474745e275d3a361ee51a325ca2da34fa2d6266b93bd6469334fb63052		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35C6C 2719 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_063_off0003608d.js
edf99511724f2fa86783da015818f61810939ca447b807b0b8c274f911c20ef9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3608D 10455 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_065_off0003733e.js
0e39b508c23e49751ef8144517c5ab068efcd2c2e8347b74a648b3adeb7cf172		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3733E 7219 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_066_off00037ad6.js
575b0ab544d9a1d0fd5b4052fc85e291b9e65138e37005f64035bcb6a2a084bd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37AD6 2721 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_069_off00042c0d.bin
3f2c1c9866ef4b08c533278e0c73120faddb61ede8760e19eaa56bd84934380b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x42C0D 688844 bytes
stream_070_off000997f0.js
293e87bad017638b7a9abe516b617a4baabdee4dce16511a4d1238c1e0dd2409		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x997F0 151320 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0233_00.bin
130a52f1c2559f13a74c282db98c237ff20dc8dc8276adbb12e70b0069473cac		 pdf-objstm-decoded PDF /ObjStm 233 0 obj (inflated) 525 bytes
objstm_0234_00.bin
50b8be7bcb0faeedcd653bd9fa39aaf66c2575814701a52e34458519eff5fb58		 pdf-objstm-decoded PDF /ObjStm 234 0 obj (inflated) 3792 bytes
font_00_sfnt_off000010bf.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BF 79301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.