Malicious PDF — malware analysis report

Static analysis result for SHA-256 e18a25268f2d2224…

MALICIOUS

PDF

1.88 MB Created: 2006-11-07 11:38:03 -07:00 Authoring application: Adobe Illustrator 11.0 (via Deep Exploration 5 5.0.3.1555 Release)
MD5: 70ec662f6918c8089f8ac7c2e6f7cdb4 SHA-1: 592188be888869cd6c8a98ca760f26eae94b1a40 SHA-256: e18a25268f2d2224690ae7f45b0b85bd964ceb09f071dcfa972eb92ad417e013
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1071.001 Web Protocols

The PDF file contains multiple indicators of malicious JavaScript execution, including eval(), unescape(), and String.fromCharCode() calls within decompressed streams. The presence of U3D/3D content, flagged as CVE-related, suggests an exploit targeting PDF viewers. The obfuscated JavaScript likely aims to download and execute a secondary payload, indicated by the embedded script payload heuristic. No specific family could be identified due to the heavy obfuscation.

Heuristics 10

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0222_000.js
f95e60cb4fb1fc42730d5ce790cdd02a6f481bdf65ae9c39b50b3591044c6360		 pdf-javascript-stream PDF /JS object 222 at offset 0x38193 188595 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_033_off00025da9.js
83f0e3117230a4942827ef354efb831d505f83a1546ceb7cbd336b12cb2a5942		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25DA9 22212 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_034_off00026e46.js
f8b13a3863af702dcd7e3941443dec10025d7a2a53f54e108dfaf2b8e3f2695f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26E46 17918 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_035_off00027c1a.js
67fdedd6cb9a0e0b6e0eaba2f238ca5c983512f99a2092d586e4edea586be475		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27C1A 10626 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_039_off0002a375.js
e268c3fa8753a7b53b3db467a54c42b8f9036543a6f7b6d4f1d02ccd59df16d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A375 7253 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_040_off0002aaed.js
77066a7a37b3af6ad53791d7f9457b7dfed3a8d84d4feaa7031d8ae355636408		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AAED 2855 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_041_off0002af12.js
a1069b624d829f9ed15ef9dc70c98d2a23233bb0b080385f34e121a533ca365a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AF12 10387 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_045_off0002d3a4.js
09a1f6366bade2c781cbaf923095ea7085f8de7adb3a8c0b0b708123787b545f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D3A4 7240 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_046_off0002db2b.js
962623957d02896ce50ac303e11139789b7c547ef6f635834872fbf3a740a5c4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DB2B 2629 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_047_off0002df38.js
252ea1aa6e45985d77ac5ab2582980690ed57e9f198ae81a80a56806c03a8ae3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DF38 10231 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_049_off0002f7b0.js
9796998ca2c32756bf181ff5f4a60580d6fd55561b2050ddebc355d20055f667		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F7B0 7036 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_050_off0002ff25.js
2a7255a2847947efcf8ff75cb73e57c1238de0b56ef725e3acb574238a620505		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2FF25 2680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_051_off0003033c.js
34e199a7c93f33d1bb6f18620c86cff5d7bc5c68e1809e942ed0f3c0dc1515f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3033C 10563 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_053_off00031685.js
12da33232a02682161413374f6f05c0210833edfde1a8ef6373b058eab29c831		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31685 7349 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_054_off00031e2f.js
e35d38f817cd62db5a1f4554fb99f1e4ac0bd5e7e17c19dc1ad0afd56261c2cd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E2F 2699 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_055_off00032242.js
f99b25026b97bbf0ee754128febcbd6731b4870a0b207a825858361537edb519		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32242 10656 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_057_off0003350e.js
f61d6d78585bf688bcd9976ab48d95b3ceeff76f145e26142d53f0c3f6f91422		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3350E 7516 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_058_off00033cb9.js
835ae1930debae0ff9f45f4d3af42c9838d14fc0ce7262bdf9b42f507a2f12bb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33CB9 2623 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_059_off000340c9.js
0d67705a6bb1b0b689ce8dc5c8e2647f9ac5b389b7b962dac06623e78c805ec9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x340C9 10376 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_061_off000354ce.js
f1b809fcabd36a7b044d90b6113a89fff86070ac264f8499b1c49f20c8e11036		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x354CE 7139 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_062_off00035c6c.js
8cf818474745e275d3a361ee51a325ca2da34fa2d6266b93bd6469334fb63052		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35C6C 2719 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_063_off0003608d.js
edf99511724f2fa86783da015818f61810939ca447b807b0b8c274f911c20ef9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3608D 10455 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_065_off0003733e.js
0e39b508c23e49751ef8144517c5ab068efcd2c2e8347b74a648b3adeb7cf172		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3733E 7219 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_066_off00037ad6.js
575b0ab544d9a1d0fd5b4052fc85e291b9e65138e37005f64035bcb6a2a084bd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37AD6 2721 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_069_off00042bd1.bin
1b0458135e41a2cf3dffd7abfa0eb75881ba74e1b498192a706cc7ba2a1e80d9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x42BD1 4171480 bytes
stream_070_off001b1f4a.js
293e87bad017638b7a9abe516b617a4baabdee4dce16511a4d1238c1e0dd2409		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B1F4A 151320 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0233_00.bin
130a52f1c2559f13a74c282db98c237ff20dc8dc8276adbb12e70b0069473cac		 pdf-objstm-decoded PDF /ObjStm 233 0 obj (inflated) 525 bytes
objstm_0234_00.bin
50b8be7bcb0faeedcd653bd9fa39aaf66c2575814701a52e34458519eff5fb58		 pdf-objstm-decoded PDF /ObjStm 234 0 obj (inflated) 3792 bytes
font_00_sfnt_off000010bf.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BF 79301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.