Malicious PDF — malware analysis report

Static analysis result for SHA-256 04faf17a6a4c2567…

MALICIOUS

PDF

6.34 MB Created: 2009-12-31 09:47:02 +05:30 Authoring application: Acrobat PDFMaker 8.0 for Word (via Acrobat Distiller 8.0.0 (Windows))
MD5: df99139dee83b80a7428c6afb382ca45 SHA-1: 6cffa82c72bf491ebd59106a6f7453411a967f67 SHA-256: 04faf17a6a4c25674c41c858f97678a8a3e69c625a1c6751d6940ddbd5791ac8
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a Windows executable payload disguised as a PDF attachment. The embedded executable is the primary indicator of malicious intent, likely intended to be executed by the user. The presence of JavaScript suggests potential exploitation or further malicious actions within the PDF itself.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 9

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mingmix.com/windows-7-secrets/
    • http://www.mingmix.com/windows-7-secrets/)/S/URI
    • http://blogs.msdn.com/blogfiles/tims/WindowsLiveWriter/Windows7Secrets_AC88/image_22.png
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
dap81.pdf
a88bdcaf2ee286615d499e77c265f730c52f055f92fa10e37bd5b1ff3fa94e4e		 pdf-embedded-file PDF EmbeddedFile object 123 at offset 0x8FEC1 4194304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
stream_011_off00052b0b.bin
dcc84754583dceaa314d615e815cbd6ab33b06a9555f536e962ab8bb5fbb07c1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52B0B 91494 bytes
stream_015_off00064efd.bin
0c1efd35a871239f3882114a91e2a4a1adba6216aa15bad610212ce99839b957		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x64EFD 1081752 bytes
icc_00_off0000184e.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x184E 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.