Malicious PDF — malware analysis report

Static analysis result for SHA-256 fee1cfddaf931f37…

MALICIOUS

PDF

7.8 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 63eb494173a88929c8b3b40133254f32 SHA-1: d9cde70babb8b802cd439dfc523be1416778fec2 SHA-256: fee1cfddaf931f3769b3691c03d42e79352e748d6f16253852f1b92bd5e5aea3
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF document contains embedded JavaScript that utilizes eval() and unescape() functions, indicating obfuscation. The script attempts to dynamically construct and load a second-stage JavaScript from the URL http://max.gunggo.com/show_ad.ashx?type=pop&sid=2373&cid=2590&cm=1&fc=4&hr=24&cb=. This suggests a delivery mechanism for further malicious activity, likely downloading and executing additional payloads. The presence of obfuscated JavaScript and the attempt to fetch external content are strong indicators of malicious intent.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ads.doclix.com/adserver/serve/js/doclix_synd_overlay.js
    • http://max.gunggo.com/show_ad.ashx?type=pop&sid=2373&cid=2590&cm=1&fc=4&hr=24&cb=

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js
6db124ad0d55ad091b4c3d07d1fa2442bde9317d4fa47c5c8e9eb1f30423e01d		 pdf-javascript-stream PDF /JS object 13 at offset 0x3DA 5504 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.