Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae51c30c1351082b…

MALICIOUS

PDF

12.3 KB Created: 2011-02-01 17:03:58 +02:00 Authoring application: Acrobat PDFMaker 7.0.7 for Word (via Acrobat Distiller 7.0.5 (Windows))
MD5: 4e13d25cf0ee678a3d110b2e68b8da25 SHA-1: 242581fd47ee2c705a35adb87f76edc2337d6357 SHA-256: ae51c30c1351082b8a4202ea9512d7d3f2abcf62455aec48711015c709830973
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, with one stream exhibiting significant obfuscation and an eval() call, indicating an attempt to hide malicious code. The presence of PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL heuristics strongly suggests that the JavaScript is designed to execute arbitrary code, likely to download and run a secondary payload. No specific family could be identified due to the obfuscation.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0027_003.js
4207b58d34a8943c6dd2fa6ce5a0d89e5cf771beb81be95d7c4c025d02fc16e3		 pdf-javascript-stream PDF /JS object 27 at offset 0x57C 133 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0001_004.js
8d3d52558fbb283404103f3dbb921869b261bc349343a86c4ecc9c251410c861		 pdf-javascript-stream PDF /JS object 1 at offset 0xA49 33 bytes
javascript_obj0021_005.js
7950b9f14a8ecb0ea89a76ea16ea72dd79b6b22f4f5560c8d3a39311ad8b438c		 pdf-javascript-stream PDF /JS object 21 at offset 0x1545 7186 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.