Malicious PDF — malware analysis report

Static analysis result for SHA-256 af6c54f0c340530d…

MALICIOUS

PDF

475.5 KB Created: 2005-05-18 11:10:59 +02:00 Authoring application: Word (via Mac OS X 10.3.9 Quartz PDFContext)
MD5: 81c15526756931b4f01da6b30f5449fe SHA-1: b3306d45ba5098de6e0d4f63ca14c3b90ae700f6 SHA-256: af6c54f0c340530da361179e77bcd686b337d6f3294fc5ffdf43dbdf369d988a
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The presence of an eval() call suggests code execution. An external JavaScript file was also extracted, which is likely part of the malicious payload delivery. The specific intent of the script is to execute arbitrary code, but without further analysis of the script's content, the exact payload and delivery mechanism remain unclear.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_004.js
1ca5b3220422680a25d0b2d30e9987fb406ba885d979bf8941553e641d75e397		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 1059 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_017_off0007260d.bin
aab3a31f10e59ffb760391735d8ec89ba436db5b0f9bc18e514d2e4624ee5543		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7260D 14272 bytes
icc_00_off00063709.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x63709 1320 bytes
font_00_sfnt_off0005c3ee.bin
8fa10140e9102320675123169458e67f483638cf5be32a9d65981af548a44cf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C3EE 28356 bytes
font_02_sfnt_off00075441.bin
154286331d2fe546a14a25252d49bd4cfb62d6e90cd72077ecd3bf26d19b77f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75441 7976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.