Malicious PDF / .TXT — malware analysis report

Static analysis result for SHA-256 f662836139ac668f…

MALICIOUS

PDF / .TXT

12.0 KB Created: 2010-08-19 19:41:17 +04:00 Authoring application: L__eX_w (via d85672)
MD5: 91da73102d7a8d25887f17c7c5e41196 SHA-1: 62d3b14c2f946139877f95cef0c34729d78e8c49 SHA-256: f662836139ac668fd05758592812065ec1ce2d3f0c83b1c805f45f9504af68fd
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript streams, with one stream exhibiting an eval() call and another using String.fromCharCode. These heuristics indicate that the JavaScript is likely obfuscated and intended to execute malicious code. The presence of JavaScript actions and embedded JS streams strongly suggests an attempt to exploit a PDF vulnerability to download and execute a secondary payload. No specific family could be identified.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
9020746e4bbafa42ae8ff7750aa866fd36eeb3b9d958f2b14cbabf62b21d394e		 pdf-javascript-stream PDF /JS object 11 at offset 0x236C 2421 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
40560db89dc182dc65d27580c008d52f388b386e4d51f9a3fbede92f4466f2f9		 pdf-javascript-stream PDF /JS object 13 at offset 0x27B2 1123 bytes
javascript_obj0015_002.js
d409291c2104ca93a6ece2b65a2ee0799a8fb7ba86b28102fe1fdc794abc0ae0		 pdf-javascript-stream PDF /JS object 15 at offset 0x2A32 326 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.