Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5a6a0c1a06cbaaf…

MALICIOUS

PDF

6.8 KB
MD5: 5335aa4a89cab29689176b362fdceddf SHA-1: 91c08854a3bedf5ab56f295354ef64b07f006905 SHA-256: c5a6a0c1a06cbaafbf4400149ae7009e7b5ee77027980e52098ccd0016a12756
178 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File Execution: Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of PDF_UNESCAPE and PDF_JBIG2_ACTIVE_CONTENT suggests obfuscation and active content, further supported by ClamAV's detection of Heuristics.PDF.ObfuscatedNameObject. The embedded JavaScript file, javascript_obj0006_000.js, is the primary artifact, likely responsible for executing the malicious payload. The exact function of the script is unclear due to potential obfuscation, but its presence within an obfuscated PDF points to a malicious delivery mechanism.

Heuristics 7

  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
dc57676d7c3016964dae4dbde965bb06a24dba6de63a0522c8eee765a01ac6f0		 pdf-javascript-stream PDF /JS object 6 at offset 0x234 5306 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.