Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3a4bb26cb8230dd…

MALICIOUS

PDF

54.7 KB Created: 2009-09-02 02:27:58 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 71bd466bb7a5376bb22edc7e0efd6ed9 SHA-1: 33b09f260c01488e8551df934eceefd3da05199c SHA-256: a3a4bb26cb8230dd3fecc3f4baf32330bca14eef16e6738fa090ef9cf0a1c0fa
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The PDF was flagged by ClamAV with 'Heuristics.PDF.ObfuscatedNameObject', indicating a malicious nature. Static analysis revealed multiple embedded JavaScript streams, suggesting the PDF is designed to execute code. The 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics further confirm the presence and use of JavaScript. While the exact payload is not discernible from the provided evidence, the presence of obfuscated JavaScript points to an attempt to download or execute a second-stage payload.

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0058_000.js
180002bd1175df6d2f66c0d28abe22f55a18e9389e19cb998f3eb38737461806		 pdf-javascript-stream PDF /JS object 58 at offset 0x9977 23660 bytes
javascript_obj0059_001.js
09851b0ad3d5f1387c330a376e375bba9f03410b1808ed624d3fd960b4c73ce2		 pdf-javascript-stream PDF /JS object 59 at offset 0xCFC3 208 bytes
javascript_obj0060_002.js
75d23f643078522afd197401b4b76ac075d48caec970eb906a9aedce037ae0ed		 pdf-javascript-stream PDF /JS object 60 at offset 0xD0B9 201 bytes
javascript_obj0061_003.js
a22d861aa119d98cef4906c7d5e1b17f817c82c1a93f32a1712144648db2f567		 pdf-javascript-stream PDF /JS object 61 at offset 0xD19E 150 bytes
javascript_obj0062_004.js
fb96bbd32a9f586e1444666e0569956652a1e4538837d73cae97ada1c3291922		 pdf-javascript-stream PDF /JS object 62 at offset 0xD25F 206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.