PDF malware analysis — malicious · f9cfda6eb5e0d4b2

MALICIOUS

PDF

12.5 KB

MD5: 54532253fdcb1b7ca0a8bbeeda237ca4 SHA-1: a7013d20e0781e846f7d3cf1b61412af2a6a26c5 SHA-256: f9cfda6eb5e0d4b2a22584161ca0cf69481e9f64724feb66622e9681bcccc35c

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript within its metadata, identified by the 'PDF_METADATA_EVAL_STAGER' heuristic. This JavaScript is likely used as a stager to download and execute a secondary payload, as indicated by the 'Pdf.Exploit.Dropped-94' ClamAV detection. The presence of JavaScript actions and embedded JS streams further supports this conclusion. The document body content is minimal and does not provide further clues to the specific lure.

Heuristics 4

ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER

PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js` `264f2ecaf2229c59ae3e2ed907ce42bdc75dacb1e81950520a5cf7c69d83a610`	pdf-javascript-stream	PDF /JS object 76 at offset 0x2FF8	331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.