Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5b1c1b849d3c865…

MALICIOUS

PDF

565.2 KB Created: 2009-11-30 14:40:00 -07:00
MD5: b2457b30c2286a31b7cf4b13d604df5f SHA-1: 7aaad81e04c86d78261833c8be99df7f1ebf6ce5 SHA-256: f5b1c1b849d3c8658959411fefa98dea9d116f9cbedaa3c787b2bbc50097a1b9
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and is flagged for a JPXDecode-related vulnerability (CVE-2018-4990 family). This suggests an attempt to exploit a PDF viewer to run malicious code. The embedded JavaScript action and the presence of an external URI, although benign in this case, indicate a delivery mechanism for further malicious payloads. The file's metadata and heuristics point towards an exploit-based attack rather than a social engineering lure.

Heuristics 6

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000006bd.js
0b53a34f7747117319e6575a7d87e416dfa316b7efbbf8105cb2a44d0f933b99		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6BD 7093 bytes
stream_023_off000068fa.bin
e4578d91f543cf258fe27b7784327406784d61f8638b570239f39dfa386aba19		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x68FA 118699 bytes
stream_024_off00036619.bin
d75076f4f9773f31bef4020b0d7dd724c09deb749497a575942f56850fcd39ea		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36619 44938 bytes
stream_025_off000404cb.bin
e1cb56f13498b1a7becec2ea7615fa223fe3f3f3ffcd25398f9b998445e79f6c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x404CB 219423 bytes
stream_026_off0006d444.bin
bc62f9dc6a4e4828a1b317ee6e9a140b93a3464df813e2d7fb70cb704e0ebf62		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D444 119602 bytes
font_00_cff_off00003bee.bin
46d6cefde37d45d18fcc5c29216199cff91c0e64b0a4892dc2e1aa4d3a90f4b5		 pdf-font-stream PDF embedded font (cff) at offset 0x3BEE 2466 bytes
font_01_cff_off000046b9.bin
8c6b806d6b4dbadc63b2abff6201ac51cb5e88f43d6bacc387340cd039ec4f43		 pdf-font-stream PDF embedded font (cff) at offset 0x46B9 1671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.