Malicious PDF — malware analysis report

Static analysis result for SHA-256 f03d522d8b097a3b…

MALICIOUS

PDF

503.3 KB
MD5: 3f1f9054fc770cf6a3b4ec198331ab9a SHA-1: d8fd9e95cd5dececd70516ee32a3b050bf1c4ff0 SHA-256: f03d522d8b097a3b2b98e05501036357bbcf853ac0c3658a9c8cc6d38e999753
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains multiple embedded JavaScript streams, with one stream at offset 0x9FB exhibiting a high-confidence 'eval()' call, indicating code execution. The presence of 'String.fromCharCode' further suggests obfuscation techniques common in malicious JavaScript. These embedded scripts are likely responsible for downloading and executing a second-stage payload, as indicated by the 'PDF_JAVASCRIPT' and 'PDF_EMBEDDED' heuristic firings. The extracted JavaScript files are treated as IOCs due to their direct involvement in the malicious execution chain.

Heuristics 8

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000009fb.js
df394ffa2a0d24714a4f982d1258839a3d01f2db8dc4c3fafb403ef0b801a83a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9FB 13125 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 eval/decoder/string-building token(s).
stream_003_off00001802.js
6b0112ca92ea1d2eba2254fddbb13ea61ed955854e2d4fe7be4e282031bfcf44		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1802 9285 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_005_off000021d1.js
e8fea2639c23266238e4d74a4dace2701264657e1c01e94360ace2a4af9614fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21D1 14876 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_006_off000030b5.js
01c6c90f86f3fd89bed2267f324da083eb92bbabcaa4f4e8a9130229f4847713		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30B5 3179 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_007_off00003583.js
eb1173f1798ca89be6190ce124f0e4a4d30d6732c311d15c8b2bf6c09f54a470		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3583 44415 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_009_off000059f5.js
adcaa3dddc04fdb8ad96d82586a7f2912d8ae1ed76a95347673603200729a8a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x59F5 8731 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_107_off0006d4ed.js
3d89fee7346dbc3954f4a29c80fd4b56a457c5022f6a16256c29b5c6c6a18e32		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D4ED 59470 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
stream_111_off000723e6.js
695a9ab984aadba0d0093b3b57cc02e9292c6334b78beeac532c79f439b4e978		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x723E6 5886 bytes
stream_114_off00072992.js
80a6b8fd0ad629fdc498643b69b950d757215796a4f1a1a0046e79eaefd4fe76		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x72992 788 bytes
stream_119_off000735f8.js
4b398c74891411656a835892bf34ba21b8cb36277dc4e97f1592ad8f69809f94		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x735F8 2816 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.