Malicious PDF — malware analysis report

Static analysis result for SHA-256 e59f40c224b3eb14…

MALICIOUS

PDF

4.22 MB Created: 2006-02-27 11:46:19 -08:00 Authoring application: Word (via Mac OS X 10.4.5 Quartz PDFContext)
MD5: d5639edd5767b4bb4f03ad5dd701f10d SHA-1: 7d090edf780ea9c53a95f1577aad026deeed0fc7 SHA-256: e59f40c224b3eb142a5fcf92224099c7c0392e6de6cb9448e8fc4140a1267cc3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript with eval() calls and uses String.fromCharCode, indicating obfuscated code execution. It also references CVE-related indicators for JPXDecode and U3D content, suggesting exploitation of known PDF vulnerabilities. The embedded JavaScript likely downloads and executes a second-stage payload, as suggested by the extracted JavaScript files and the overall malicious verdict.

Heuristics 10

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cisco.com)/S/URI
    • http://www.aladdin.com/etoken/cisco/)/S/URI
    • http://tools.cisco.com/cse/prdapp/jsp/externalsearch.do?action=externalsearch&page=EXTERNAL_SEARCH&module=EXTERNAL_SEARCH)/S/URI
    • http://www.cisco.com/public/sw-center/sw-ios.shtml)/S/URI
    • http://www.cisco.com/en/US/products/hwithrouters/)/S/URI
    • http://www.cisco.com/en/US/products/svcs/ps3034/serv_category_home.html)/S/URI
    • http://www.cisco.com/en/US/products/svcs/ps11/services_segment_category_home.html)/S/URI
    • http://www.cisco.com/go/offices)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0121_014.js
9536363ba6ef54a3bfae83428030775c23cbaf9e8b0c761b2583d7bdb2a51f25		 pdf-javascript-stream PDF /JS object 121 at offset 0xD98 39494 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 14 eval/decoder/string-building token(s).
stream_017_off00031d33.bin
a133af4b6c7eb944d20cde8767a2f52614bdb99f634c899c40bcfa1a394101bd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31D33 3483796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
stream_018_off003716cf.js
158bc21beca179b053859ad68b3f3871cc453e92f6a59c1aeb265f6ccc438105		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3716CF 183165 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
icc_00_off00017aef.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x17AEF 1320 bytes
font_00_sfnt_off003c1ecb.bin
7307777da81d29c36edd40a7e2dcbf3a15c424105bcdc7150326b8ad0af32b9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C1ECB 9492 bytes
font_01_sfnt_off003c3bda.bin
9175d2b1ce7d962926886c0ac7257180d26dde00afd2162e5d8d90eddeb37922		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C3BDA 18648 bytes
font_02_sfnt_off003c72cb.bin
bdfc52e5de4276079aa65fa1f371e97602136fd6f67d9b4fc8c7882ec8d132b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C72CB 5508 bytes
font_03_sfnt_off003c83a2.bin
4280f5aefab702c09911b90430f1167ce26361d55d5192a40539b1da0837bc5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C83A2 47220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.