Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca45b0fee7b4fe0f…

MALICIOUS

PDF

300.6 KB
MD5: 30ed32c50f4f3c1023c63f07b3d56f6c SHA-1: d199399aa1af0ae07019952f383e7c3e6554bcb2 SHA-256: ca45b0fee7b4fe0ffc8049b72826d42604cb8e7a56d01b9762ff4b93a783179b
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1553.005 Mark-of-the-Web Bypass

The PDF file contains embedded JavaScript and a critical heuristic firing indicates an embedded Windows executable payload. This suggests the PDF is designed to exploit vulnerabilities or trick the user into executing the embedded PE file, which is likely the primary malware payload. No specific family could be identified, but the delivery mechanism is clear.

Heuristics 6

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
751b340acac81b1ea6b7a95da4f426aa46f5f921f252cd6ba3e1eaa0676a2d36		 pdf-javascript-stream PDF /JS object 12 at offset 0x4A24D 5146 bytes
stream_000_off00000337.bin
3d68b6c65f2aff682ee36830025e4b0bbc1d6190719567586d71e5b17223b3fc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x337 525856 bytes
embedded_pdf_0002cd45.exe
134290aa3b149f9e74c1f654ec13eb88ed554418fb8a3698b7f05058966f4d61		 embedded-pe PDF decompressed stream PE payload at offset 0x2CD45 343058 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.