PDF malware analysis — malicious · a601431acd5004c3

MALICIOUS

PDF

77.1 KB Created: 2006-02-16 15:03:51 -08:00 Authoring application: Acrobat PDFMaker 7.0.5 for PowerPoint (via Acrobat Distiller 7.0.5 (Windows))

MD5: 89b000e6b0c9b195a1115e674f7185e1 SHA-1: 81b244be7b9c170666128b3c37dfd2b465a76aea SHA-256: a601431acd5004c37bf8fd02fccfdacbb54b27c8648d1d41ad14fa3eaf8651d3

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF containing embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The presence of JPXDecode with active content suggests an exploit related to CVE-2018-4990. The embedded JavaScript likely downloads and executes a second-stage payload from one of the unknown-reputation URLs found in the document. The ClamAV detection of 'Pdf.Exploit.Dropped-94' further confirms its malicious nature.

Heuristics 9

JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED

PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.pdfscripting.com)/IF
- http://www.pdfscripting.com)/S/URI
- http://www.windjack.com)/S/URI
- http://www.pdfscripting.com
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_003.js` `47f20292cac5d149a2a81752347c1759f387c7e2d9227483dc099e64cad0e162`	pdf-javascript-stream	PDF /JS object 76 at offset 0x1268A	175 bytes
`javascript_obj0026_004.js` `db93405ce1f319608828f96fb024208787e349b2fcadf58d2c44e2523173b8df`	pdf-javascript-stream	PDF /JS object 26 at offset 0x1FC6	2789 bytes
`javascript_obj0067_005.js` `81b5e35f5ebf380b37db6bcdeb3bc3c1be82175f4c88474a85136d0c5e15db82`	pdf-javascript-stream	PDF /JS object 67 at offset 0x5BA3	862 bytes
`stream_022_off00007b5d.bin` `92b3a50668db443e80f0e93c322773bf294375237f5ca21f66d5db8fec6d60ac`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x7B5D	80076 bytes
`icc_00_off00005dbf.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x5DBF	3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.