Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea9be18f98202b23…

MALICIOUS

PDF

82.4 KB Authoring application: PyPDF2
MD5: f06c477c58c63a2971f849c64b6bd25f SHA-1: 90d57a52f2ecebabfbc1252e9fb4640801a47ad8 SHA-256: ea9be18f98202b23db47e04009ef468650633496ecbab49958ccccbd4033884f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The critical heuristic firing for CVE_2009_0658 indicates that this PDF exploits a known vulnerability in Adobe Reader to execute arbitrary code. The presence of embedded JavaScript, particularly with eval() calls, further supports the malicious intent. The JBIG2Decode filter with active content suggests the exploit leverages this feature to deliver a payload, likely a dropper, which is then executed via JavaScript. The document body is heavily obfuscated and appears to be a lure, but the exploit and script execution are the primary indicators of malicious activity.

Heuristics 8

  • Adobe Reader JBIG2Decode WScript dropper exploit critical CVE likely CVE_2009_0658
    PDF combines JBIG2Decode image streams with OpenAction JavaScript that reconstructs a Windows Script Host dropper stage. This matches the in-the-wild Adobe Reader/Acrobat JBIG2 image-stream exploit cluster associated with CVE-2009-0658.
  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
c9b08887be9d512e48582a91e968a8604a85f1762f58c702a1ed6303920b812d		 pdf-javascript-stream PDF /JS object 8 at offset 0x518 338 bytes
javascript_obj0008_001.js
e25e312ae0670d91ce5fc23a9fb90e9901bdcdd0888ac39f21143396b9c6f519		 pdf-javascript-stream PDF /JS object 8 at offset 0x518 85 bytes
jbig2_00_off000071f7.bin
b18d53664a2dc1b1974f99cfc61faf49b45be9c260fe5da0df1a39b77d9b0d33		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x71F7 2291 bytes
jbig2_01_off00008931.bin
50dddbc8230d3604857e3422084af337018de4a414688f3658e4141959a5f61a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x8931 15878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.