Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec90d170d2e4fdfe…

MALICIOUS

PDF

55.0 KB Created: 2010-07-06 21:04:53 Authoring application: Virtual PDF Printer - www.go2pdf.com (via Virtual PDF Printer1.01)
MD5: 1b5466f54e3cccbb61484074f600e0ec SHA-1: f8adb317ef24f65de664de5dac3113a5a5c6c85b SHA-256: ec90d170d2e4fdfee432381a578f3893f2c1e87867423e5a05afaa214c9b36c2
226 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file exhibits malicious characteristics, including embedded JavaScript and a critical finding of an embedded PE executable payload. The presence of JavaScript actions and streams, combined with the embedded executable, strongly suggests the document is designed to download and execute a second-stage payload. The PDF also uses parser-evasion techniques, further indicating malicious intent. The ClamAV detection of 'Heuristics.PDF.ObfuscatedNameObject' reinforces the malicious classification.

Heuristics 9

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.go2pdf.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
608eca199c721532742bef5fa07c8aa2add996038efe924ab3e67a7653ddc6b3		 pdf-javascript-stream PDF /JS object 17 at offset 0xD7FD 53 bytes
stream_001_off00001159.bin
37121ecb7c1e112b735bd21b0dfe3e526352ecb98c434c5f40e6a2a582380cdd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1159 114688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.