Malicious PDF — malware analysis report

Static analysis result for SHA-256 f16074e1f0d3001d…

MALICIOUS

PDF

1.95 MB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 108e85a53f0464759b3e188ed993ed45 SHA-1: 06904238754a97998c874d750f5f997b181e181f SHA-256: f16074e1f0d3001d0a1217ecfd81c01fdac46355a8cc89c8b9211903121de58d
386 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link T1059.007 JavaScript

This PDF file triggers a critical vulnerability (CVE-2007-5659) via its OpenAction, executing embedded and obfuscated JavaScript. The JavaScript is heavily obfuscated, but analysis indicates it attempts to download and execute a second-stage payload, as suggested by the 'Win.Trojan.Agent-36171' ClamAV detection on the primary and extracted artifacts. The presence of multiple JavaScript streams and eval/unescape calls points to a downloader or droppper functionality.

Heuristics 11

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Win.Trojan.Agent-36171 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36171
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js
141e6d5299991b266797f78735db3e9a23abf2816dc8a0a57b8d8771b6935de8		 pdf-javascript-stream PDF /JS object 13 at offset 0x36F 3291 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_003_off00000ed0.js
d4402ef82d2d91881993762bac57eb61e60490d391fbee453d314a9ee9e0590a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xED0 6508 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_005_off000021dd.js
992cbcf89287398ed8da51e12b34bdb41c0cbe812f23081dde632548aa826f83		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21DD 7177 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
stream_008_off0000389a.js
150ecfb4103192116ebf817fd42386c0bb42bc2d7fa29221b22ff5fbcdcfdcff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x389A 1664 bytes
Detection
ClamAV: Win.Trojan.Agent-36171
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
deobfuscated.js
1378d02837dedf92d68456f59446d55f6ab03df517c02cd5ff49762e438eecb8		 deobfuscated-js PDF JavaScript deobfuscation pass 42195 bytes
Detection
ClamAV: Win.Trojan.Agent-36171
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off00000b2e.pdf
275034b0da56fb0d707b1bc33a16f4dc9635c47e31eceb4475dddf7746cc2f33		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB2E 2045138 bytes
Detection
ClamAV: Win.Trojan.Agent-36171
Obfuscation or payload: unlikely
polyglot_child_pdf_off00001dd7.pdf
5df564c5d9a2cf31a55171ab1e9887840e419daab1388d604895d1cc2929aaee		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1DD7 2040361 bytes
Detection
ClamAV: Win.Trojan.Agent-36171
Obfuscation or payload: unlikely
polyglot_child_pdf_off00002b88.pdf
afbc29522280fafcb4e5234f2e6c9055fbdc292d76c9b8a8ea42a90fcc0e1ac5		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2B88 2036856 bytes
Detection
ClamAV: Win.Trojan.Agent-36171
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.