Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6ff2581ad44a443…

MALICIOUS

PDF

13.6 KB
MD5: d135e5a5e51759b17bb4724e62864b27 SHA-1: 00cd446cca3c1c13d742a7a4ee3f32655c22a9be SHA-256: e6ff2581ad44a4433435910ab748224458dfad931cec5de383615aa0621e9588
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The presence of an eval() call suggests the JavaScript is likely obfuscated and intended to execute arbitrary code. While no specific URLs or further payloads were extracted, the use of JavaScript within a PDF is a common technique for delivering malware. The document body is unreadable binary data, providing no contextual clues.

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000004a8.bin
350520b8e27ba56f6aa61773cf7f32e455af5c1c7d24474fc350bace5ebedb2b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A8 4796 bytes
objstm_0025_00.bin
cd0f53d9a4e28e71eba90dd8fba2226c06b41f506bda1d0aca160e49fc6bae98		 pdf-objstm-decoded PDF /ObjStm 25 0 obj (inflated) 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.