Malicious PDF — malware analysis report

Static analysis result for SHA-256 c416f34a80e6be57…

MALICIOUS

PDF

81.7 KB
MD5: 406f873fe7cca6cbc22a1a9d2b6cc931 SHA-1: 339fac30a8240334e43ff3a578510d15782276d2 SHA-256: c416f34a80e6be577e0e3c209d071015c60a8dae9125fccf1279a48ff5caf151
172 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

This PDF file contains embedded JavaScript and is flagged as a dropper by ClamAV. The embedded JavaScript is likely used to download and execute a secondary payload, as indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_EMBEDDED_CHILD_STATIC_TRIAGE heuristic further suggests that an embedded PDF child object contains suspicious findings, including JavaScript, XFA forms, and exploit indicators. The overall behavior points to a malicious dropper designed to compromise the user's system.

Heuristics 7

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • ClamAV: Pdf.Dropper.Agent-1506703 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1506703
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
c101c1ffa39455813e54581a2a827f42cf9088adb4109c9162045e030aecfba9		 pdf-javascript-stream PDF /JS object 12 at offset 0x132C0 3144 bytes
msf.pdf
f63abc0cb6ba7851a15a5ab2cf846af27f961413fbff57cfac622bec69458e6d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3A2 82906 bytes
javascript_obj0009_000.js
d34469e19a1a64397bfd3c97f146a8aca8c2e06509fc8ac323640cceb1b714e3		 pdf-javascript-stream PDF /JS object 9 at offset 0x14510 56 bytes
javascript_obj0009_001.js
2bb1e7a202c327335e98a6e43785bbd246ca7796ccc763fad48de6300cba11eb		 pdf-javascript-stream PDF /JS object 9 at offset 0x14510 54 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.