Malicious PDF — malware analysis report

Static analysis result for SHA-256 e40585444e67dfb9…

MALICIOUS

PDF

56.2 KB
MD5: 9a39419cb7fa592207890ccc275a501a SHA-1: ad011180065e55bf19383a1242c5a2f24ffd2ea4 SHA-256: e40585444e67dfb93445d57839a2338d10c4d0b706dd7c75cd1905574d1c78e9
166 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

This PDF file is flagged as malicious by ClamAV, specifically detecting Win.Exploit.CVE_2018_4990-6599478-0. The presence of embedded JavaScript, particularly using String.fromCharCode and an AcroForm button with an action trigger, indicates an attempt to execute code. The ML classifier also strongly suggests maliciousness. The primary attack vector appears to be exploiting CVE-2018-4990 via the JPXDecode filter, which is a known vulnerability in Adobe products.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9198

Heuristics 8

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • ClamAV: Win.Exploit.CVE_2018_4990-6599478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2018_4990-6599478-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
1cff7b0fe2a04d356c7100013d88035064145a1de4d5f8f9f8e8b21d6a394a7e		 pdf-javascript-stream PDF /JS object 14 at offset 0x1364 397874 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
font_00_cff_off0000d761.bin
3ad89875e6fb7800b92b2a7d51b20b4698616ec3f17bd584488b4745cd64e011		 pdf-font-stream PDF embedded font (cff) at offset 0xD761 1578 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.