Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 bd07b90b515234f1…

MALICIOUS

PDF / .SWA

6.7 KB Created: 2010-09-03 08:30:37 Authoring application: Xijokanilohova (via dd4e6Kmgxaloxaxgi)
MD5: bf8f9149a1f4abbb379421f6492c9f0e SHA-1: 325d727e20905dbcf78bf59866f2b3fc2d5b756c SHA-256: bd07b90b515234f111e14ff819f69cf846ce72cbe7a624d87c358983220a3289
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF containing obfuscated JavaScript, as indicated by multiple heuristic firings including ClamAV's detection of an obfuscated name object. The presence of JavaScript actions and embedded JS streams suggests an attempt to exploit vulnerabilities within the PDF reader. The SHA256 hash is included as a primary indicator.

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
d75aba2bc241d027161697fa7aada0bf45c7afe5b58fce1bb0bf66350349f123		 pdf-javascript-stream PDF /JS object 11 at offset 0x1208 1983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.