Malicious PDF — malware analysis report

Static analysis result for SHA-256 bafb3311c1cea14b…

MALICIOUS

PDF

85.3 KB Created: 2008-03-03 17:06:20 +08:00 Authoring application: Advanced PDF Repair: http://www.pdf-repair.com
MD5: 6bd12dbb335b6fc45ee91b1151924e3d SHA-1: 1107906edf8eb166b47eccec61293f6ffcc3cae3 SHA-256: bafb3311c1cea14bc34a5d860bf3d11f2c42c2c6909b50e5ba255f87797c8a02
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript with an eval() call, a common technique for obfuscating malicious code. ClamAV detected this as Pdf.Exploit.Agent-21535, indicating a known exploit. The embedded JavaScript stream, named 'javascript_obj0038_000.js', is highly suspicious and likely responsible for the malicious behavior. The exact payload or exploit targeted is not fully discernible from the provided evidence, but the presence of eval() and the ClamAV signature strongly suggest exploitation.

Heuristics 8

  • ClamAV: Pdf.Exploit.Agent-21535 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-21535
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js
d09b3f8531bbd0b9fb1a15b94dac709f7710e3e969ad94204049ce689fed2ee0		 pdf-javascript-stream PDF /JS object 38 at offset 0x151D 18155 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.