PDF malware analysis — malicious · fd8b444307961e16

MALICIOUS

PDF

44.9 KB

MD5: 4a56b8adfa9810e1475763729ad1f510 SHA-1: af62db7808b06d646aa4438cb8a3c527d878c590 SHA-256: fd8b444307961e168197eb85b93056fbd5a62ad138ec609960e30ea6b7424183

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged by ClamAV with 'Heuristics.PDF.ObfuscatedNameObject', indicating obfuscated content. Embedded JavaScript streams were also detected, suggesting an attempt to execute arbitrary code. The document body is heavily obfuscated and unreadable, further supporting the presence of malicious intent. The primary attack pattern involves leveraging obfuscated JavaScript within the PDF to deliver a payload.

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `51374731000627f76c706dd58703a0d70f52259146d634665f7cc3695f0ffa34`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA1CA	3428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.