Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8b8581abaa9e3f9…

MALICIOUS

PDF

1.95 MB Created: 2011-72-51 03:25:00
MD5: 3ce6f87c7bcc1f269de349b8ef012491 SHA-1: 053ec4f884133d469120b3014a3e993d5647f41e SHA-256: a8b8581abaa9e3f92f15a54b9665af354f4ec668079f34026d800676799d23ef
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/Shell Scripting: JavaScript T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF file contains embedded JavaScript streams that utilize eval() calls, indicating an attempt to execute obfuscated code. A secondary embedded PDF was also found with similar suspicious static findings. The primary function appears to be the execution of this JavaScript, which is likely designed to download and execute a second-stage payload. The confidence is slightly reduced due to the lack of specific IOCs like URLs or hashes being directly extractable from the provided evidence.

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
9d4de6218535a2179478606659c272cd0946b523cec3244633dd4978398a9d06		 pdf-javascript-stream PDF /JS object 1 at offset 0x620F 539 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0001_000_1.js
e12647c287c01018a22d5aab4a98196e7483cf871181e66582d0f12c6c76fd58		 pdf-javascript-stream PDF /JS object 1 at offset 0x61FF 525 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off00006508.pdf
7b910f2aac38856a0f8099037ed28dd78ccc2b1a126a100da40962d26823d894		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x6508 2022136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.