Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1e081f65b5c080f…

MALICIOUS

PDF

724.3 KB Created: 2010-04-27 01:52:02 +02:00
MD5: 4d20fc249198e77b46284e6fd2a11d80 SHA-1: 3a3c72cbf85c2d1159540dfe2d2032886481d188 SHA-256: b1e081f65b5c080faff1c12bbcc5f58ba78a89b0ad6a266f94bf2a9e24b34e7b
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, several of which triggered heuristic alerts for eval() calls and fromCharCode usage, indicating obfuscated code. One heuristic specifically flagged an embedded PDF child with suspicious static findings. The primary function of the embedded JavaScript appears to be downloading and executing a second-stage payload, as suggested by the 'PDF_JAVASCRIPT' and 'PDF_JS' firings. The presence of multiple JS streams and the 'PDF_EMBEDDED_CHILD_STATIC_TRIAGE' heuristic point towards a multi-stage attack. No specific family could be confidently identified.

Heuristics 9

  • Embedded PDF child has suspicious static findings high PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000106c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x106C 3144 bytes
font_00_sfnt_off00013e68.bin
1c9caeabbe7a17e7584598ee4b254b89598c52c7781225d433a81b5a783f85af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E68 169268 bytes
font_01_sfnt_off00019f75.bin
17fe835ba881f7f8715de94174d45edc81c0bc0b98f61aca855dde4590195954		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19F75 167272 bytes
stream_002_off000031e5.js
a7bf3968f6b1b5f6b67bb60ebcbd115943ea3ce09c131c900db6ef041f717dda		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E5 13131 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 eval/decoder/string-building token(s).
stream_003_off00003fec.js
ef75178dc5c726c246732f82b203eb7fdcdccb7fa928ca5048a0e18ac01608f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3FEC 9287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_005_off000049d6.js
8a26308eea9c72525f80851b2d9bb98f352e95cbed376f6dfeb351ee9daaab86		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49D6 14878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_006_off000058ba.js
9ffe3b3cb04406be0fe049a27115b496dfd3681c12826d0d072ad5e38b55591d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x58BA 3139 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_007_off00005d34.js
2cf85655b5e4504a07c876fda3c661c0038610a346de305a642d9f0223bb5037		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D34 44450 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_009_off000081a7.js
2dd59078323996f941d300e3a789a09fc6b09245a06f5a91de2e94a41c8a58d9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x81A7 8739 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_115_off00077b6c.js
80a6b8fd0ad629fdc498643b69b950d757215796a4f1a1a0046e79eaefd4fe76		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x77B6C 788 bytes
stream_121_off000788e8.js
12dd82be7048d8327a981875eede1bbb7dd56759a33ed09f7f946c64438ad88c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x788E8 2818 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_123_off00078f00.bin
d31d681b3920d26a812e69946ec71a1942cc460f9c63f3eceed6cf9851d98244		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x78F00 44608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
stream_124_off0007b9a3.js
cee704957726b41b8f3810c6643be699748b8a9f77a0fb820a8c786f60610086		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7B9A3 5898 bytes
stream_128_off0007bf22.bin
f7fed59236d8844cecbf14431891bfc61b3b244b7ad3cf76f0972b85337a4754		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7BF22 133468 bytes
stream_129_off00099c46.bin
387fe3b5c9990862ce1154fc1c26e563a42c952478eee86062467f58c39f6378		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x99C46 92245 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.