Malicious PDF — malware analysis report

Static analysis result for SHA-256 f16995ba5b58e16d…

MALICIOUS

PDF

503.4 KB Created: 2006-11-07 11:38:03 -07:00 Authoring application: Adobe Illustrator 11.0 (via Deep Exploration 5 5.0.0.1399 Release)
MD5: f5c737c257395b2c1c3d2dea7ce21aa0 SHA-1: f9d860955286ee8dc40615a200eb29533358d013 SHA-256: f16995ba5b58e16dc714be58c9ee2b0680341e434990f385e48ddd3e822d2f2a
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicating obfuscated code execution. The presence of U3D/3D content and a specific heuristic flagging it as CVE-related suggests exploitation of a PDF viewer vulnerability. The ML classifier also flagged this as malicious. While no specific URLs or executable payloads were directly extracted, the techniques used strongly suggest a drive-by download or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9131

Heuristics 10

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0053_000.js
2456d42a60220e270706fc9b246591d0c615ff7716eca8c609685c65bfe593be		 pdf-javascript-stream PDF /JS object 53 at offset 0x1DE0C 141736 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_013_off0001cbd7.js
31ca3056d5d1740b89d5c9e8a1d59b034aee4ac100a2a15bf4014684116c1fae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CBD7 8610 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_014_off0001d4fc.js
8bf3d0416cb60050a72a9ab5f96d93dec2b71c7b890f6fa7fbbbfa9d965534cd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D4FC 6761 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_016_off00025f7c.bin
cf3e36730f800e857a5847609019f8e408832fc76c6bf524211ebca412959be9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25F7C 370996 bytes
stream_017_off0005e854.js
6697a8469141108183ca41ba674d81adff36430fcfaf946f48a84cd78bc6f465		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5E854 108700 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0064_00.bin
e59573b7210fe3f56c8cde61a2f1b54b2adac862805b660e6efb3bd3a43458d9		 pdf-objstm-decoded PDF /ObjStm 64 0 obj (inflated) 520 bytes
objstm_0065_00.bin
19fa0cb867707e6255f39b505eab3cf9a4619b341c01527fc7a296e506877fb7		 pdf-objstm-decoded PDF /ObjStm 65 0 obj (inflated) 1037 bytes
font_00_sfnt_off00000f07.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF07 79301 bytes
font_01_cff_off0000eb43.bin
ff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9		 pdf-font-stream PDF embedded font (cff) at offset 0xEB43 1558 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.