Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6d02e09e4c83d54…

MALICIOUS

PDF

6.3 KB
MD5: 460734bf19a34f0a5f0ccefc60ec6a00 SHA-1: 2d4dd03190a4aeea0d65e2e7cc8a1a9f792ad51d SHA-256: b6d02e09e4c83d545e27520161fc41034984b043bb43632ecd3e789911838979
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File

The PDF contains embedded JavaScript and a Flash object, indicating an attempt to exploit vulnerabilities. The high-confidence heuristics for PDF_JAVASCRIPT, PDF_JS, PDF_RICHMEDIA, and PDF_EVAL, along with the presence of embedded JavaScript files, strongly suggest that the document is designed to execute malicious code. The eval() call within the JavaScript stream is particularly concerning, as it is often used to deobfuscate and execute further malicious commands, likely leading to the download of a second-stage payload.

Heuristics 6

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
exploit.swf
7295b8725a91fd64683611c1d5f2469845ebdec112e9dabb182aefba62dd4d62		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x48C 3764 bytes
javascript_obj0017_000.js
7de29db79dcd52398753093a18d491cd08457303cba28c9cf4f700a7a7570a3e		 pdf-javascript-stream PDF /JS object 17 at offset 0x13F4 877 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0017_001.js
f7e85fb2a2a282a721d45b313211eba2df789238f1c42c1f8c805b8d2e840725		 pdf-javascript-stream PDF /JS object 17 at offset 0x13F4 35 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.