Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb8ab75282b280de…

MALICIOUS

PDF

12.8 KB Created: 2010-04-08 22:58:01
MD5: 1098e2a5dea43708d26518d57ace3a35 SHA-1: d15311f3b7cd4988c853e9fc99b67eebec281c40 SHA-256: bb8ab75282b280deb1f090c7e3c7d0f5c82ebc3f908532c3384462fee24e7cef
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF contains JavaScript that is triggered by the OpenAction, indicating an attempt to execute code upon opening. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' strongly suggests the document's purpose is to deceive the user into interacting with a password-protected archive. The embedded JavaScript, while obfuscated, likely facilitates this lure by providing instructions or the password itself. The SHA256 hash is included as a primary identifier for this malicious file.

Heuristics 4

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0020_000.js
efe8ac88cec7c8f34b60e5273a8a37f2a8377e5175a13b7de4df1a9a1eabbdda		 pdf-javascript-stream PDF /JS object 20 at offset 0x293D 38650 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.