Malicious PDF — malware analysis report

Static analysis result for SHA-256 f757aca6e62ed1e4…

MALICIOUS

PDF

2.77 MB Created: 2006-11-07 11:38:03 -07:00 Authoring application: Adobe Illustrator 11.0 (via Deep Exploration 5 5.0.6.1889 Release)
MD5: 2bcc95181651ee4f33d2fd4e9f6fb52b SHA-1: 412bb1a386fd1b97b2f01aaacb84abd55b0848e9 SHA-256: f757aca6e62ed1e4b2b87305976bc1b033c00237482553e075c26409bcf2de89
206 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols

The PDF file exhibits multiple high-severity heuristic firings related to embedded JavaScript, including eval() and unescape() calls, indicating obfuscated malicious code. The ML classifier also flagged the PDF as malicious with a high score. The presence of U3D content suggests a potential exploit vector. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, although the exact nature of the payload cannot be determined from the static analysis alone. The benign URLs extracted are likely unrelated to the malicious functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9487

Heuristics 10

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0223_000.js
8bc029484311b564d663e63457202b0f155b78da9d4fe777414ddd923fbc414c		 pdf-javascript-stream PDF /JS object 223 at offset 0x7B591 201954 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_033_off00025d99.js
c2cfe62289e85a5de51e74766c51e3885d21d1f9e873d9eb4a30162192432ebe		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25D99 22268 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_034_off00026e42.js
8318cfbb06a989fbf9e85a57016222466e46af8ad73bfeaba24d2a84f97e6481		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26E42 17945 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_035_off00027bfe.js
b89d1dc94c6752251533a68dbbbff2e3664eb8f8ec1eae658c84d61abf6b272e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27BFE 10321 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_039_off0002a33d.js
d8f14cfafa3c03678e5ff35f701bdd62552412ced26fc79fc2950e1670eb1106		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A33D 7147 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_040_off0002aab2.js
4015e032519fe09c2125cd1c8b0afe77cb0b1ebb4b901fd3ce95443d03d0e440		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AAB2 2656 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_041_off0002aede.js
6b90b88c18883c688269f08c79fa872098622d3f019c36db3551651baf370f70		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AEDE 10670 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_045_off0002d39e.js
85e818c3e948c1ba3c1bd21fd1a336ab5e0aa057068ee54fbb39f50cfacf99b9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D39E 7394 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_046_off0002db30.js
24da1f1fe8bd43c35d2681ffed6b729b22882f60c72d739751808aa04d27cdca		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DB30 2758 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_047_off0002df5d.js
d12c1ba8623a48297c3120c2d1075cd786d812ec68ef5dcd78d0acd5eb98d1f0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DF5D 10467 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_049_off0002f804.js
90114c0d3b099b78b3901483d819fd961f54ceee50f637f9b96cc2d8756ae4ce		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F804 7420 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_050_off0002ffbb.js
e74b886445cd2b2b72eaa85280d69d39cfeea997437ef83969d83510cff2b7ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2FFBB 2532 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_051_off000303ac.js
b0ced4c0736652e87d948f9a258d89a25115c72efc25bc905a10f9ffe15386c1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x303AC 10189 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_053_off00031661.js
bbe5462dff538e4c762b844ae26be18d05ea1ba04dcd3555421dab8f834e2065		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31661 7138 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_054_off00031da4.js
05257e8805c2fd9de9e0dd76497b1ddc1f27bd657af0465843d552cb5b559df3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31DA4 2536 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_055_off00032191.js
cdf262cc54dbd21f64c550849a95d856876ecb3d8f60b9f4d3e7af1472662455		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32191 10492 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_057_off00033427.js
251f202a2f48f4cf50dbe7ad008ece1d683ff823af1199db78ab81c3409e6bda		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33427 7180 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_058_off00033b8c.js
0a8ebb1f6423e7516ad1ce66bfe63b45a9177edb1d9f14cc972f83bd0cc53716		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33B8C 2795 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_059_off00033faa.js
dec9c1ab3410769e817610e212fac1ee6a59b7acdf409a4e4007d48fc0a6592b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33FAA 10487 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_061_off00035399.js
b82a9be713f15e49297f6c2a57c55f9eb8925fac72ab69df6958f946fffc2932		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35399 7445 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_062_off00035b52.js
00616f2ee7537947cade8eddb9c713970aa17d256789346ecfc610bd48e5ba7e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35B52 2524 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
stream_063_off00035f49.js
7c8f5045f1a9cbc3c4972b920d5459cbf9d8f1ea8faff72df5d910cc73dae60c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35F49 10440 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_065_off000371ed.js
83da19540fe1155419c9447af6746e3d22d54e164830fa31ef79da4d7bcde0b4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x371ED 7177 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_066_off00037975.js
1bcdd99a74e80832caef99dc35bd9582f111818bd03f16dc035ffea0348ad9d5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37975 2748 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_069_off00086cd3.bin
11e1de70ba73b5bd6006b95e36a61b16aa1b73f58a6e3558e3d4492bb3242f28		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x86CD3 2128412 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
stream_070_off0028ab4a.js
cd71be21612064d09365dc0a183a55ba7aec15b62cb5f0da798d439957a109e6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28AB4A 171324 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0234_00.bin
7c85e7419941b479238870d655587f4f4e5ae75b9e8c75f8bb31a5189b05cd9f		 pdf-objstm-decoded PDF /ObjStm 234 0 obj (inflated) 524 bytes
objstm_0235_00.bin
314624bf6299e328bdf8c3aa48c9cbbfd34f65ff9402cc03127d26e4f0d72685		 pdf-objstm-decoded PDF /ObjStm 235 0 obj (inflated) 3831 bytes
font_00_sfnt_off000010b0.bin
f39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B0 79301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.