Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa14accec5970c3a…

MALICIOUS

PDF

75.4 KB Authoring application: PyPDF2
MD5: 884b4053892e1420e5a94627268367a3 SHA-1: e54ecf36d476e579ecc2a583754294c32685e2f3 SHA-256: fa14accec5970c3aae513283a098c5c39066ec7090caaf00e1e05f8b39542dde
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript, with multiple heuristic firings indicating obfuscation and the use of eval(). The ClamAV detection of 'Txt.Downloader.Nemucod-6769957-0' strongly suggests a downloader functionality. The extracted JavaScript files, particularly 'legacy_pdfkit_stage_001.js' and 'legacy_pdfkit_stage_002.js', are large and likely contain the core malicious logic for downloading and executing further stages. The primary intent appears to be the download and execution of a second-stage payload.

Heuristics 6

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
5bf5c2523b5c707ca272ad2f1389ed92a8ba9e1ec01264738869b4b00a5a7c95		 pdf-javascript-stream PDF /JS object 7 at offset 0x501 13521 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769957-0
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js
ae4acd74fc9e4b9a808059dfe9754a53b2cfd678c7f15575a7253ad53e7ba80f		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x5C7 7144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
aab7a7892320e6e8391db26beee9fe37049f97b74f5f72ec281bdd4efe858a6a		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x554 77056 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_002.js
d1160c8ed0b98233e562b0aca012662f1eea7b4acdf1bdb29a4f1498e53acd6a		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x5F5 70663 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.