Malicious PDF — malware analysis report

Static analysis result for SHA-256 f12dd9981d40df99…

MALICIOUS

PDF

21.7 KB Created: 2010-02-23 11:43:35 Authoring application: Gamobemijojiriwi
MD5: b4802b71df5830ededfbdc448bde5682 SHA-1: 6e71565b721521365f9be92908a19617217369bd SHA-256: f12dd9981d40df994ab52b6ad56110916fd6bc81284b41bb306163210a1b6773
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains JavaScript and is configured with an OpenAction, indicating it is designed to execute code upon opening. The SE_PASSWORD_ARCHIVE_LURE heuristic strongly suggests the document's purpose is to prompt the user to open a password-protected archive. The embedded JavaScript, while not fully analyzed due to obfuscation, likely facilitates the delivery of this archive or a subsequent payload. The file's SHA256 hash is included as a primary IOC.

Heuristics 4

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0034_000.js
c4ab905cd992e94ba10955d6bdaa545dff07c0ed1daf3ea09c4cd47842e8cba8		 pdf-javascript-stream PDF /JS object 34 at offset 0x516A 197 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.