Malicious PDF — malware analysis report

Static analysis result for SHA-256 a235e22d4df9463d…

MALICIOUS

PDF

315.2 KB Created: 2009-09-05 04:53:48 +02:00 Authoring application: Adobe PDF Library 8.0
MD5: ba3197e7887285f21974a0e4b5f809dd SHA-1: e519285ee437e45915e18c1ba037bb29d48b81fe SHA-256: a235e22d4df9463d4b41883db3816128ea645fd1336fbe09e04740b71b542a45
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF document contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristics. The high-severity PDF_EVAL heuristic and the presence of a decompressed stream script payload (stream_005_off000035f3.js) suggest that the JavaScript is designed to execute arbitrary code. This script likely acts as a downloader for a second-stage payload, which is a common technique for delivering malware.

Heuristics 9

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.adobe.com\
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.adobe.com/products/acrobat/readstep2.html.)Tj
    • http://www.adobe.com/support\
    • http://crl.adobe.com/prodSvce.crl0
    • http://crl.adobe.com/cds.crl0���~�|�z0x1

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0364.bin
81cfcafabb171b293181d41f5e593f84098267fc499cb3b7cb070d27bba1086e		 pdf-embedded-file PDF EmbeddedFile object 364 at offset 0x14404 8712 bytes
embedded_file_obj0365.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 365 at offset 0x14936 85 bytes
embedded_file_obj1494.bin
4d14d15bdd2531e88bb59e10da1916310ed357025834f36bbb5a1dc7709a6ed0		 pdf-embedded-file PDF EmbeddedFile object 1494 at offset 0x4D835 5704 bytes
javascript_obj0341_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 341 at offset 0x2B6D 870 bytes
javascript_obj0343_001.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 343 at offset 0x2CF5 2798 bytes
javascript_obj0345_002.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 345 at offset 0x2FEC 1535 bytes
stream_004_off000032ec.bin
bec6159663596fab9cbb35c31d8a1164f7678df36df09e813af56a0a389fc3e6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32EC 1897 bytes
stream_005_off000035f3.js
407ae7f43e9948a2682996bf5d99962dfb8d287f0387de1755d9f5d52d3e43be		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35F3 244802 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
stream_006_off00013c9f.bin
67d4800b829e53ef741093179e9dc7663bcaaf3ee32ecb86140b7b4cb18962d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13C9F 4748 bytes
stream_007_off0001405f.bin
6582e4039206d06fd0c697646a988bfc9e37b21d05f02ff571c461bd01c24897		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1405F 299 bytes
stream_008_off00014155.bin
8927782c7a13fdbbbcf4ee5d4640f5a25c4cb0a4200c42aea201d5623ebd1501		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14155 4371 bytes
stream_013_off00015e6c.bin
10b60bb21de45512487655473aa13c2501ab26cff2041581f60f090a20a469e9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15E6C 4125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.