Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd21f5402b39e59e…

MALICIOUS

PDF

510.9 KB Created: 2008-02-01 22:43:49 UTC Authoring application: The AcroTeX eDucation Bundle (via Acrobat Distiller 8.1.0 (Windows))
MD5: 8f6eaf5d3bb88b4a1cf42a96003b6fc0 SHA-1: 3ebf8f6272aaa7b92980deafcf89d47ce458a032 SHA-256: bd21f5402b39e59ee4bc3b5684465029019c8882915d2f6a115ccfbe9bb84aa3
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, with several triggering heuristics related to JavaScript execution and obfuscation. Notably, a high-confidence heuristic fired for 'PDF_EVAL', indicating the use of eval() to execute potentially malicious code. The presence of JavaScript actions and embedded JS streams strongly suggests the document is designed to exploit vulnerabilities and download further malicious content. The URL http://www.acrotex.net was found, though its reputation is unknown.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.acrotex.net
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0555_000.js
db9267b26c5a5e63523b2e315e33b7f52a7426b1c9fecbb16d42c49b3e66f36e		 pdf-javascript-stream PDF /JS object 555 at offset 0xDBC 322 bytes
javascript_obj0604_001.js
c2339bff98f9e1387b44c2867c345f4154e68322a4cf27b5055bee39ec2a0f27		 pdf-javascript-stream PDF /JS object 604 at offset 0x7D223 170 bytes
javascript_obj0606_003.js
6899821d1a26cb43d0a8ca2327c4f9d28d274f663641f446024435773ee4211b		 pdf-javascript-stream PDF /JS object 606 at offset 0x7D331 1335 bytes
javascript_obj0608_004.js
abbe52e1d7d7010c4a3ce2c772a798b4006a8bcac87c5c75978aa0d5be7ca96e		 pdf-javascript-stream PDF /JS object 608 at offset 0x7D5AE 10229 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 eval/decoder/string-building token(s).
javascript_obj0610_005.js
0da565853c81cb902403f59a6623e2acfb0a06b773cab844be3ef2d9103f3782		 pdf-javascript-stream PDF /JS object 610 at offset 0x7E08E 1749 bytes
javascript_obj0612_006.js
b307ed8c26f7b5308f4d2de6d9a057ff911f87386fe5004d9e042c3e52cf220c		 pdf-javascript-stream PDF /JS object 612 at offset 0x7E33C 11791 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0614_007.js
35aa51fea18dab6a96dc0570d1e0a6d25a66d668daf1c10292cc97b7a69c5735		 pdf-javascript-stream PDF /JS object 614 at offset 0x7EF16 2654 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0616_008.js
0b2ecc69c765a5a8deb260c7bb2c6dde6858cf83fccbc8c1cd3b30c7eca79432		 pdf-javascript-stream PDF /JS object 616 at offset 0x7F306 2260 bytes
javascript_obj0618_009.js
0bbce45b289938fef62d2a8c379f68ccd6f5bc452d1942aad62ae5346365fe77		 pdf-javascript-stream PDF /JS object 618 at offset 0x7F6D6 738 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_010_off000085ed.bin
70210bc813d1e8638b9b9842e89017a56162066bf37206bf043adf104a7a0fd5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x85ED 12267 bytes
stream_110_off000710fa.bin
aa734da80b868026c9a675b1644f49fdbfa174776eafab6a871b7f0224b00f7f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x710FA 4306 bytes
icc_00_off00003089.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3089 3144 bytes
font_00_cff_off00002453.bin
f1ef3dde7b6b200c7ec27c81693ae63129603d23d7061e69c78cddac275557e7		 pdf-font-stream PDF embedded font (cff) at offset 0x2453 2138 bytes
font_01_cff_off0001756a.bin
ae31de53c4338c30acc3552bdabd15627ed7c65775ce65546de9399a940290af		 pdf-font-stream PDF embedded font (cff) at offset 0x1756A 3008 bytes
font_02_cff_off000183aa.bin
ea0c618a14b175904a552dc41666aa9d644b7b9434bf2a26e7ae6df339abfc86		 pdf-font-stream PDF embedded font (cff) at offset 0x183AA 2405 bytes
font_03_cff_off00021893.bin
08568c17466a8646244aa39e0073a4fc2874c49c47d32350294d76558694cfa2		 pdf-font-stream PDF embedded font (cff) at offset 0x21893 617 bytes
font_04_cff_off00068560.bin
13ce4debe8a8ed199632d72d69fcd580a58ed725d17b6f32a952fb79611cdae0		 pdf-font-stream PDF embedded font (cff) at offset 0x68560 9449 bytes
font_05_cff_off0006a543.bin
a6a5e89cc7070371e5d34e471e9ca222ded489315df21925deeb6ac22a1857fa		 pdf-font-stream PDF embedded font (cff) at offset 0x6A543 8956 bytes
font_06_cff_off0006c71b.bin
753908e903c329168121cce1c0e55a6ce875f8eed74a2665f625abf0af4b7c79		 pdf-font-stream PDF embedded font (cff) at offset 0x6C71B 8286 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
font_07_cff_off0006e442.bin
e9c2b6907db543544201cadadab5e5c21bb72f9f3967246e4154cd7b333105a2		 pdf-font-stream PDF embedded font (cff) at offset 0x6E442 885 bytes
font_08_cff_off0006f251.bin
a58c343bdd80263aa650488c885eb890877cda9698c4edccf2da4d08d81ddf34		 pdf-font-stream PDF embedded font (cff) at offset 0x6F251 710 bytes
font_09_cff_off0006f7d0.bin
6c0794eec4f40fd725f01a596caf911cd4e5e8b067f81371e426f08137e34a73		 pdf-font-stream PDF embedded font (cff) at offset 0x6F7D0 3642 bytes
font_10_cff_off000705bc.bin
7af939e4bca5beceb0f1ba700bf2257854c56b27de71a44046b9a59a796af1ec		 pdf-font-stream PDF embedded font (cff) at offset 0x705BC 1190 bytes
font_12_cff_off000720b9.bin
f3b8dce572784efa03a43725af34176a6e870100dc89b7c8e7fd37ba5c978d78		 pdf-font-stream PDF embedded font (cff) at offset 0x720B9 560 bytes
font_13_cff_off000723c7.bin
26a96d78099e66ce1ae40a6023fd78de83d1abb9800b954d1cf858cad218c3ca		 pdf-font-stream PDF embedded font (cff) at offset 0x723C7 586 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.