Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf545c33e7177c3e…

MALICIOUS

PDF

70.1 KB
MD5: c2ce2d199d0f7959ac28453f5315c503 SHA-1: 6cea4ae58b6410198aa3d6ca336e182e0e1bdd4e SHA-256: bf545c33e7177c3e9d7f6da149925223ebb8cf5fad16c2273c52c4bbb8d71356
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_UNESCAPE'. The presence of 'unescape()' suggests obfuscation of malicious code. The embedded JavaScript file 'javascript_obj0013_000.js' is likely responsible for executing the malicious payload. The document body is largely unreadable, providing no direct clues to the lure, but the technical indicators point towards an exploit delivery mechanism.

Heuristics 6

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js
fa1c6f86ec0befc3f1464188a13fd2156700539b901c57ab350520805cb08cda		 pdf-javascript-stream PDF /JS object 13 at offset 0x10531 3979 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
font_00_sfnt_off00000352.bin
a8f4d9b7d604c3c8a0bf3f9a31b9e952d467f98d118fdc784d95d689a14d8a33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x352 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.