Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8ee6effb8c96b1d…

MALICIOUS

PDF

1.9 KB Authoring application: sli
MD5: 76d5d8bd49d4c6bc0c72c397a0ff74be SHA-1: cbb9516441461b066ffeeb088bad48b3c8e4e568 SHA-256: d8ee6effb8c96b1db8fb301e7537b4cf8e0b8a91115c1cde0602ddcb2b9d8a6b
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection 'Pdf.Exploit.Dropped-91' strongly suggests this is a malicious PDF exploiting a vulnerability. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, which is a common attack pattern for such documents. The SHA256 hash is included as a primary IOC.

Heuristics 3

  • ClamAV: Pdf.Exploit.Dropped-91 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-91
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
8f38df02ca752afead0ea5380e42ab0811accbbd686ee80009027c5fea48b09c		 pdf-javascript-stream PDF /JS object 76 at offset 0x426 548 bytes
deobfuscated.js
011af6e6e4e245c15bcb5ed0fe83ffc015b4d44ed8b0cf9e49031c507913c9c4		 deobfuscated-js PDF JavaScript deobfuscation pass 1213 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.