Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe968b12a2a48a78…

MALICIOUS

PDF

1.95 MB Created: 2011-72-51 03:25:00 Authoring application: dvips(k) 5.90a Copyright 2002 Radical Eye Software (via AFPL Ghostscript 8.14)
MD5: 851f8918793e9e14d1b607a05f6cd777 SHA-1: 5009f158b7e50fa04258053fc02dea81dda9b96f SHA-256: fe968b12a2a48a787d7f1712cde5aec841f6dceb791e07f082c91f111bcd571c
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, which is further obfuscated and uses an eval() call. This JavaScript is likely responsible for executing malicious code, potentially by exploiting vulnerabilities within the PDF reader or by downloading a secondary payload. The presence of a nested PDF with similar suspicious findings reinforces the malicious intent. The document body appears to be a garbled representation of mathematical symbols and text, which is not a typical user-facing document.

Heuristics 5

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
bdde503e0c00148bb3a8c5b5072c90846b12ddc126a1ef7702cf6d422b33bc57		 pdf-javascript-stream PDF /JS object 1 at offset 0x8DD6 543 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off00002ba3.pdf
f08e6a56d9d0a48bf578f3d3002303d0e37ce2d0c015f5af9ab78913e56186e4		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2BA3 2036829 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.