Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcb9981d080a81fb…

MALICIOUS

PDF

301.0 KB Created: 2009-06-25 16:57:23 UTC Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 5.0.5 (Windows))
MD5: 0c376493bde0ac912c4ce130c486bc0f SHA-1: c61980f24991817c8ff41e71028418940e23999e SHA-256: dcb9981d080a81fb6766798b239378901846185946ddf72a2c7ed1e89181ee94
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The eval() call and String.fromCharCode usage suggest obfuscated JavaScript code. This script is likely designed to download and execute a second-stage payload, as suggested by the 'Suspicious extracted artifact' heuristic. The presence of JavaScript within a PDF, combined with the eval() function, strongly points to an exploit delivery mechanism.

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0142_000.js
09902a6f4fc69d2db0b7c22ab23461c755f2c9ff6249108cd150624899cdab33		 pdf-javascript-stream PDF /JS object 142 at offset 0x6D9 8265 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_005_off00002e8c.bin
77bc8cc695d7476f573b661b6a9cbc05230ce53f70971431b28c33e6af14e711		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E8C 30848 bytes
stream_015_off000166f7.bin
28e8ad2c8730552a75c28426e14a57b0d70190c13c71d11b521b9cce0ae77765		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x166F7 45288 bytes
stream_022_off00026c80.bin
9e2874c97d002cc548854e984a0594f7246fd7682be2289791c894deddeb940a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26C80 39848 bytes
stream_027_off00036ad6.bin
f8b5634482dabaf0040161953b708d7648a1dc1459beb6e63bf997bafb4818f7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36AD6 107773 bytes
icc_00_off000084d3.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x84D3 3144 bytes
font_00_cff_off00002cb5.bin
7f204b1217dc09c5fe0d70cc69892fccb9afec21bf6f0b05efc2fbc29e189aaf		 pdf-font-stream PDF embedded font (cff) at offset 0x2CB5 402 bytes
font_02_cff_off00008322.bin
df49b925c4e6cbdc7e37278e59aae46cb1308e4d562f374c71d0acec1f517e3a		 pdf-font-stream PDF embedded font (cff) at offset 0x8322 380 bytes
font_04_sfnt_off0001cbdf.bin
1871b22094f8d8959bdd0da0b1e28f198a04e1f7e96f0f332bae8a8bc1abc3bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CBDF 36360 bytes
font_05_sfnt_off00021da0.bin
42ccf568a405b12ea881446cd14f94387a120c746eb9738692e18d5a4b6502aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21DA0 16456 bytes
font_06_sfnt_off00024fa2.bin
5220cdacb4141deaf3c113bf5b3bfeda5b26746474166b319224e2e44147bc7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24FA2 10316 bytes
font_08_sfnt_off0002c138.bin
118f42ae07c375bb043d286e3d07604991b59bb7346acfbf23cb21439ba43dac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C138 28796 bytes
font_09_sfnt_off0002ef3f.bin
74b661c87f29daba0fadde951f2644758b2eb8e6ee74a1d261f2332d427a8409		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EF3F 29156 bytes
font_10_sfnt_off00032621.bin
c76747777f2923b771eaf0bd4ae56ea7ad140a789553d391d0e7ce0f75c82219		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32621 22064 bytes
font_11_cff_off00035762.bin
3ceb4630a6325d5d520781cc975d6cced1f8266ca922d80d40dc110ba1df92cf		 pdf-font-stream PDF embedded font (cff) at offset 0x35762 568 bytes
font_13_sfnt_off000460bb.bin
659bf0b8035208f1758f1b892614dbfb0b5b7baad6052234297b54474b1d2dba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x460BB 27605 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.