Malicious PDF — malware analysis report

Static analysis result for SHA-256 00892f1b67dc841a…

MALICIOUS

PDF

212.8 KB Created: 2019-05-21 02:29:00 UTC Authoring application: Aspose Ltd. (via Aspose.PDF for .NET 20.6) First seen: 2021-11-23
MD5: 0e5b699e36081765045e20109e17355b SHA-1: 8563ab2013c3436da43fad9117ac65dfac689904 SHA-256: 00892f1b67dc841ad1da39787a5266bbadd47ddff367c0be8d8ac9ab6fc91371
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a hidden ZIP archive which, upon extraction, reveals a JavaScript file. This indicates a likely multi-stage attack where the PDF serves as a container for malicious code. The JavaScript is expected to download and execute a further payload, a common technique for initial compromise.

Machine Learning

  • Nyx PDF Classifier clean score 0.0125

Heuristics 4

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • PDF with appended ZIP archive high POLYGLOT_PDF_ZIP_APPENDED
    A ZIP local-file header was found AFTER the last %%EOF in this PDF — a polyglot pattern where the same bytes are a valid PDF for a PDF reader and a valid ZIP for an archive parser.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://en.wikipedia.org/wiki/MIT_License In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
hidden_pdf_zip_off00034c0b.zip pdf-hidden-zip PDF decompressed stream ZIP payload at offset 0x34C0B 1627 bytes
SHA-256: 5ebe6285a81f6d523458242900aa8d71cca41e7af2e2569221339f2edea4c1ad
Detection
ClamAV: Archive.Filetype.DualExtJS-6168221-2
Obfuscation or payload: likely
actual_type=ZIP; declared_or_context_type=PDF; filename=hidden_pdf_zip_off00034c0b.zip; kind=pdf-hidden-zip
font_00_sfnt_off00007cee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CEE 29492 bytes
SHA-256: 60fe1038188dcb853e3bae107fe398291ee529fb789e3614539777fe3ce26345
font_01_sfnt_off0000f279.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF279 13044 bytes
SHA-256: a7afe876e096b5336838261579900b0309a3cdc103e759b9a7ccb922372f8fae
font_02_sfnt_off00012aae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12AAE 4236 bytes
SHA-256: e597bed42aae1228148411cd47f131ceaec7f5317a34dd9765c64c396a128ef7
font_03_sfnt_off00013fb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FB6 88012 bytes
SHA-256: 40162a91790cf980e03573dbe792791d66b204ca4a915186c29dd06645340b34
font_04_sfnt_off0002afab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2AFAB 12076 bytes
SHA-256: 88b35acc2c57f74e51ce9e6b6de0c31571f699e062d130f018874c0a6cca582d

Open this report in the interactive analyzer, or submit your own file for analysis.