Malicious PDF — malware analysis report

Static analysis result for SHA-256 f69d1a7763743434…

MALICIOUS

PDF

1.46 MB Created: 2009-09-09 13:40:36 +02:00 Authoring application: Adobe PDF Library 8.0
MD5: 3cb95e707e7f03d8cecf32663085698e SHA-1: 4059f70df740372be0193ee31d5568d10ed509b5 SHA-256: f69d1a77637434346764ecca6cd55809770f76216740fb92fd9bd1b9df207950
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF file contains multiple embedded JavaScript streams, with a high-confidence finding for an eval() call. One of the JavaScript streams, stream_005_off000039e7.js, is flagged as a suspicious extracted artifact. The presence of eval() and embedded scripts strongly suggests the execution of malicious code, likely to download and execute a secondary payload. The PDF structure also indicates XFA forms and numerous streams, which can be used for obfuscation or heap spraying techniques.

Heuristics 10

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.adobe.com\
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.adobe.com/products/acrobat/readstep2.html.)Tj
    • http://www.adobe.com/support\
    • http://crl.adobe.com/prodSvce.crl0
    • http://crl.adobe.com/cds.crl0���~�|�z0x1

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj1014.bin
e1d57687841f80293b0c1f8ce5dcec7c0dfac4bb6a9479f118d806958d439c06		 pdf-embedded-file PDF EmbeddedFile object 1014 at offset 0x266B6 19538 bytes
embedded_file_obj1015.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 1015 at offset 0x27093 85 bytes
embedded_file_obj1016.bin
938dc6808ffd0fb5c2fe7f40b954fcf96ecf2c2873a472da393b9d89b62785e0		 pdf-embedded-file PDF EmbeddedFile object 1016 at offset 0x27148 27124 bytes
embedded_file_obj1898.bin
1af81fd0df80feeccbadbad275ee48c09c3ce08c13507bf2cb9ca1c21d55e56f		 pdf-embedded-file PDF EmbeddedFile object 1898 at offset 0x2B3F1 48830 bytes
embedded_file_obj25871.bin
d18a65bab78de62ec1c33f053da39d46571ebbcb6fb84930baebe0cdf9e416d9		 pdf-embedded-file PDF EmbeddedFile object 25871 at offset 0x1704DE 57204 bytes
javascript_obj0982_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 982 at offset 0x2F60 870 bytes
javascript_obj0984_001.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 984 at offset 0x30E8 2798 bytes
javascript_obj0986_002.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 986 at offset 0x33DF 1535 bytes
stream_004_off000036df.bin
bec6159663596fab9cbb35c31d8a1164f7678df36df09e813af56a0a389fc3e6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36DF 1897 bytes
stream_005_off000039e7.js
6b0d6573dfab4581469a8d8ca1d67489839b7d7bf8d9b11c71edb2574eb2e0b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39E7 714640 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
stream_006_off000262be.bin
f87c8622f53e3cd3c1a639e52b69432e38a7267c6b9439d9257630a097c07763		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x262BE 2410 bytes
stream_007_off00026599.bin
6a6ec90aacf39e8a991b6984ba66068bf7612060601282bd0d7d7230237245c6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26599 315 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.