PDF malware analysis — malicious · b4cc35073b4ea680

MALICIOUS

PDF

310.3 KB

MD5: 7f996b18efddd393dd2accc634b0382d SHA-1: 476b31087a9c88bf304e13d573c1d4abd13ebb5f SHA-256: b4cc35073b4ea680b7757614b12f3331ced5b465147840728a9fea35e49088e2

346 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and a Flash object, triggering critical heuristics for CVE-2011-2462 and a secondary embedded PDF. The embedded JavaScript stream, identified as 'javascript_obj0006_000.js', likely facilitates the execution of malicious code. The presence of a secondary embedded PDF and a SWF file further indicates a multi-stage attack designed to exploit vulnerabilities and download additional payloads.

Heuristics 10

Adobe Reader U3D/RichMedia parser exploit critical CVE likely CVE_2011_2462_RICHMEDIA_U3D

PDF combines U3D stream markers with RichMedia and JavaScript/XFA activation surfaces. This is the U3D RichMedia exploit document shape associated with CVE-2011-2462, even though the U3D marker is not exposed through the canonical /Subtype /U3D dictionary.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`zVGWPnPsl.swf` `ae13437efad4e3a4f03cb0339d03b7d795966b217d30a540767c4ae26f402285`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0x146D	26774 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`javascript_obj0006_000.js` `ce44f38eb0f616818628376bcec99247a88e161a69539f804a0484c5f0b1d586`	pdf-javascript-stream	PDF /JS object 6 at offset 0x13C	12116 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`polyglot_child_pdf_off000446ff.pdf` `df9caa1a8a81c3c654c87afe8a643f4a27424e4bd52b96287571843eae27694e`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x446FF	37419 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.