Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc330c3debf05fbd…

MALICIOUS

PDF

68.2 KB Created: 2008-10-21 11:20:17 +02:00 Authoring application: Acrobat PDFMaker 7.0.5 for Word (via Acrobat Distiller 7.0.5 (Windows))
MD5: 3f35842d5e92a2951ef7d0a5c40b5e0b SHA-1: cf4f8f113f91ff19e542a28f97b4954a2278eb78 SHA-256: dc330c3debf05fbd6d0fd6b6521f8a7700cfcdff6750fa0d5081b24d6b097538
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, with one stream exhibiting significant obfuscation and containing eval() and String.fromCharCode() calls. This strongly suggests the execution of arbitrary code. The ClamAV detection 'Pdf.Dropper.Agent-7312541-0' further confirms its malicious nature as a dropper. The primary function appears to be the execution of obfuscated JavaScript, which is a common technique for downloading and executing further stages of malware.

Heuristics 7

  • ClamAV: Pdf.Dropper.Agent-7312541-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7312541-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0177_001.js
4b024e23c65bfca25f3ae333f366444cecd6a5c9b6de4aa5317d59031ba7404c		 pdf-javascript-stream PDF /JS object 177 at offset 0xD7FC 125 bytes
javascript_obj0180_002.js
75de26c7269a06fc7825d89a4493e04c155efbc3d382c286d2ca06aa600a7a01		 pdf-javascript-stream PDF /JS object 180 at offset 0xD9F9 164 bytes
javascript_obj0181_003.js
d9b0adb46e43b8cd8f2eb61236ec7a0221ad24b9a1f7645cda6a8eab5b3017a2		 pdf-javascript-stream PDF /JS object 181 at offset 0xDAE2 71 bytes
javascript_obj0182_004.js
23848f82ba8dd1727256c379d74d46b173e4203c87038b552108fe1a31085ace		 pdf-javascript-stream PDF /JS object 182 at offset 0xDB66 226 bytes
javascript_obj0183_005.js
87df0063dd37411bf7c05daea98911845ff37309944eb19a3a431442ccb6b0c5		 pdf-javascript-stream PDF /JS object 183 at offset 0xDC91 123 bytes
javascript_obj0186_006.js
e7d2b044057b58674be0ea0c54e16627d204280bd51d432a58b60a9f0330023b		 pdf-javascript-stream PDF /JS object 186 at offset 0xDF2A 155 bytes
javascript_obj0173_007.js
548e830acb60b0693c1287a313d05733670f9866b62a498e4d2851f47f69d7f1		 pdf-javascript-stream PDF /JS object 173 at offset 0xBB76 2796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0179_008.js
72c2057e454a7b396f11686f58a7dfb1a3f5cdf0a6f3083f5b3095f3a2d66490		 pdf-javascript-stream PDF /JS object 179 at offset 0xD8F3 348 bytes
javascript_obj0185_009.js
47dcb0f74a1455cf5ab1be391b91fea4dd0f57a1ba23cc0302991a79c6f44034		 pdf-javascript-stream PDF /JS object 185 at offset 0xDD84 839 bytes
javascript_obj0188_010.js
137658fa3aca71ffe89611ab5a7e3145f16d99c4c39ee9d0da35be2e4e954e19		 pdf-javascript-stream PDF /JS object 188 at offset 0xE030 682 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0192_011.js
7e836de381f2f76b8ff329849b67b7900327d366bd492b589f305466c82424f1		 pdf-javascript-stream PDF /JS object 192 at offset 0xFA7A 1953 bytes
icc_00_off00004f73.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4F73 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.