Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea0d66a79ac23eca…

MALICIOUS

PDF

4.3 KB Created: 2011-04-05 23:46:28 Authoring application: bub lob
MD5: 86d2d5f1b2963dad2bfb73e5e7d5b421 SHA-1: 1c4e483f54203081867364b803c4450466106efd SHA-256: ea0d66a79ac23eca09796fec7b2fa303feca78b5f8a0979d7f9dea8a27abf52d
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded executable script, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD and PDF_XFA_SCRIPT heuristics. The script is likely designed to download and execute a secondary payload, as suggested by the embedded file artifact. The XFA form further increases the risk by allowing executable scripts. The exact behavior of the script is not fully discernible due to potential obfuscation, but its presence strongly suggests a malicious intent to compromise the user's system.

Heuristics 5

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
23ea7d5f7038e8dc5b4c8e4d2823ed848c106323860b762bb979d9afb64521c5		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x169 13121 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.