Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd50d20219a0c236…

MALICIOUS

PDF

5.8 KB
MD5: c19c1404b43e410bc299e0f7d19f912a SHA-1: eee4a2dffb33f910538a7257f34b6a7446459385 SHA-256: bd50d20219a0c236a3031c045b0dbf5ed9f17a4e05d7d498a1c982685cec3fe6
198 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, which is a common technique for delivering malicious payloads. The critical heuristics indicate the presence of obfuscated JavaScript and a secondary embedded PDF with similar suspicious findings. The extracted artifacts, a JavaScript file and another PDF, further support the malicious nature of the sample. The embedded JavaScript likely attempts to download and execute a second-stage payload.

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
f1b6b8ed1333001cd08283b1bf48b57382bdc531326dff060e1f810574e9adb9		 pdf-javascript-stream PDF /JS object 4 at offset 0x208 1830 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off000008dd.pdf
fbdf03f60e2675965473b2289e44bccf2f3f33efb2432a87ac444c4b73809170		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x8DD 3622 bytes
Detection
ClamAV: Heuristics.PDF.ObfuscatedNameObject
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.