Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 a76bfbf2c0d53010…

MALICIOUS

PDF / .SWA

7.2 KB Authoring application: Bofatezozinefaxfa (via b1218Vogewojixariuawi)
MD5: 53691ec39b0b68dcb8bc7feb51f032f3 SHA-1: f835e383eb8c63195a24a852fbb71c755e5b116d SHA-256: a76bfbf2c0d53010174529e5d1cb5cecfdb2ce5cfffb503c4e6b1406de48f2f8
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV also flagged it as Heuristics.PDF.ObfuscatedNameObject, suggesting obfuscation techniques common in malware. The embedded JavaScript stream, named javascript_obj0011_000.js, is the primary mechanism for executing malicious actions. While the exact script functionality is not detailed, its presence strongly suggests the PDF is designed to exploit vulnerabilities or trick the user into running malicious code, likely to download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
ca838ab153ea9de4fff1e74bdd0848fd720f71bc6fbee4425be234136cd19b41		 pdf-javascript-stream PDF /JS object 11 at offset 0x1349 2325 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.