Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4f5552ddf960e91…

MALICIOUS

PDF

20.8 KB
MD5: bae468fcb1c885c8e1759aab1c37e3e9 SHA-1: 76b29d6165b797c0bc5b546f868d06e2633fc9ff SHA-256: f4f5552ddf960e91bc8c829274b0c3ea3fb61c4a4f08b8fff7e6e27b13e0c4ef
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

This PDF document contains embedded JavaScript and a critical heuristic firing for an embedded PE executable payload. The embedded file is named 'live_livechat.exe', suggesting a lure to trick users into executing it. ClamAV detection confirms the malicious nature of the embedded payload, identifying it as Win.Trojan.Rozena-693. The JavaScript likely facilitates the execution or download of this payload.

Heuristics 6

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Win.Trojan.Rozena-693 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Rozena-693
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
live_livechat.exe
d467b4c58105c9945f4bfb899e2b39c2b4e68ba5a1538613cc6d3dcc5ac7c099		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x380 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-693
Obfuscation or payload: unlikely
javascript_obj0009_000.js
2995d43b0bb86e895353af4f0fb16783f6dd31c0ce2caf3e54759ca1fc93328a		 pdf-javascript-stream PDF /JS object 9 at offset 0x5185 69 bytes
javascript_obj0009_001.js
e39d21f6e4efdef6dbe23a6bd9e4df7c5f163854297507491d9de2253d07a6fb		 pdf-javascript-stream PDF /JS object 9 at offset 0x5185 67 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.