Malicious PDF — malware analysis report

Static analysis result for SHA-256 055167a57f6b8551…

MALICIOUS

PDF

612.5 KB Created: 2008-11-14 06:12:59 +01:00 Authoring application: 3B2 Total Publishing System 7.51n/W (via PDFlib PLOP 2.0.0p6 (SunOS)/Acrobat Distiller 8.0.0 (Windows))
MD5: 9e58d325833e138db09855506a714344 SHA-1: b3e090098eab7df3f636180714e5594a181c7e09 SHA-256: 055167a57f6b855119328ea86b7d1983355e8935b78ad630fa818ecbec91e676
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and a hidden iframe, indicating an attempt to exploit vulnerabilities and load external content. The embedded script payload and hidden iframe heuristics strongly suggest malicious intent. While many URLs are benign, one external URI was found, which could be a pivot point for further malicious activity.

Machine Learning

  • Nyx PDF Classifier clean score 0.0083

Heuristics 4

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.angewandte.org
    • http://www.ro521.com/test.htm
    • http://j5b.kr/bin/h.js
    • http://dx.doi.org/10.1002/anie.200803048
    • http://dx.doi.org/10.1002/ange.200352956
    • http://dx.doi.org/10.1002/anie.200352956
    • http://dx.doi.org/10.1126/science.285.5433.1537
    • http://dx.doi.org/10.1021/ja983610w
    • http://dx.doi.org/10.1039/b605472b
    • http://dx.doi.org/10.1002/adfm.200600415
    • http://dx.doi.org/10.1002/adma.200500174
    • http://dx.doi.org/10.1021/ja026032z
    • http://dx.doi.org/10.1002/adma.200301639
    • http://dx.doi.org/10.1021/ja049494g
    • http://dx.doi.org/10.1002/ange.200700677
    • http://dx.doi.org/10.1002/anie.200700677
    • http://dx.doi.org/10.1126/science.1096566
    • http://dx.doi.org/10.1021/ja068502l
    • http://dx.doi.org/10.1021/jp710106y
    • http://dx.doi.org/10.1021/ja050359t
    • http://dx.doi.org/10.1021/cr020724o
    • http://dx.doi.org/10.1016/j.jmmm.2005.01.037
    • http://dx.doi.org/10.1002/
    • http://dx.doi.org/10.1002/1521-4095
    • http://dx.doi.org/10.1002/1439-7641
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://dx.doi.org/10.1002/\(SICI\)1521-4095\(200006\)12:11%3C808::AID-ADMA808%3E3.0.CO;2-P
    • http://dx.doi.org/10.1002/1521-4095\(20020104\)14:1%3C19::AID-ADMA19%3E3.0.CO;2-X
    • http://dx.doi.org/10.1002/\(SICI\)1521-3757\(19990614\)111:12%3C1906::AID-ANGE1906%3E3.0.CO;2-0
    • http://dx.doi.org/10.1002/\(SICI\)1521-3773\(19990614\)38:12%3C1788::AID-ANIE1788%3E3.0.CO;2-2
    • http://dx.doi.org/10.1002/1439-7641\(20020617\)3:6%3C543::AID-CPHC543%3E3.0.CO;2-E

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001eb41.bin
548b3ef1db4330d82be2eb608ff5c7ba77833d080d9c453d89fc8d5ebf1a82cd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EB41 18678 bytes
stream_016_off00032117.bin
4100a18efd053f523f816a75a9abe3bacc9d4ab87407d8f42d337402a54812ae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32117 9202 bytes
stream_018_off00034168.bin
624148a3eb48d9105c392638556ecf3495fa8fdf4b88d4faef12d00a655ee2c3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34168 24374 bytes
stream_025_off00041aa4.bin
965ab70052b0534f438e01811d4a32067736452e76a9de31a08ec843aadb1de7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x41AA4 17005 bytes
stream_039_off0008b013.bin
95b09290e09d4f1225e218a736e9eef925780975f45334aa95b6819150a58f51		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8B013 16998 bytes
embedded_pdf_script_000991b5.bin
1ea92d36cd69aac3a309750a2468610c5cc42d8163e9cb3e95a8b2b323622798		 pdf-embedded-script PDF decompressed stream script payload at offset 0x991B5 627171 bytes
font_00_cff_off0001bb10.bin
6fa5be24d50f6a79ba7cbe00a80a3eb40247c98a5aa9c42c4e6f884df5c37e1d		 pdf-font-stream PDF embedded font (cff) at offset 0x1BB10 16934 bytes
font_02_cff_off00021dfc.bin
04c7d8d209a31f020a208c4324622f7e612940d2277248e00d362f1882bb9392		 pdf-font-stream PDF embedded font (cff) at offset 0x21DFC 19227 bytes
font_03_cff_off000253e7.bin
99561cbbb0f021909465c45b6f447328a7d9d5828d0341e73f4c796fb2c6a417		 pdf-font-stream PDF embedded font (cff) at offset 0x253E7 16900 bytes
font_04_cff_off000284ca.bin
97473af5523340c553d132cd5ca80c185f70c46b20efff794fef7c10512640f6		 pdf-font-stream PDF embedded font (cff) at offset 0x284CA 20456 bytes
font_05_cff_off0002b785.bin
88d611fcd891de93a0577ec8442960048d7d6fee3876208be1a4f431f4243b04		 pdf-font-stream PDF embedded font (cff) at offset 0x2B785 23101 bytes
font_06_cff_off0002eda9.bin
d2d485b05eb91adaf3c2f5542912b3e69f8a588812aed4e1f13953abb1f25422		 pdf-font-stream PDF embedded font (cff) at offset 0x2EDA9 20740 bytes
font_09_cff_off000389d3.bin
73b9b737aa16777da4266ac64bd27d366efa06f30bfe7cc6bbb2e2d9f928d1ca		 pdf-font-stream PDF embedded font (cff) at offset 0x389D3 14256 bytes
font_10_cff_off0003bb98.bin
f68deba403516cbe1700960b2eb10c0d454101b11384c66a3adfc9d62510fa1f		 pdf-font-stream PDF embedded font (cff) at offset 0x3BB98 19153 bytes
font_11_cff_off0003f017.bin
cef48d81227224cfacebd488e1c6dace2043a9ecc715c2bdd4d4fbdcf9db3f09		 pdf-font-stream PDF embedded font (cff) at offset 0x3F017 12962 bytes
font_13_cff_off000542e2.bin
3ad2c77fcf14ebcb68f43d8e90a162638b2be607620303225b56412fe2a0f142		 pdf-font-stream PDF embedded font (cff) at offset 0x542E2 15252 bytes
font_15_cff_off00091e00.bin
0392108f0b9c2f34182f3652e510f2961073d0f03a43bace8ff319e6c703e1af		 pdf-font-stream PDF embedded font (cff) at offset 0x91E00 8282 bytes
font_16_cff_off00093ea7.bin
038e93fe0661f6d043694ebb993df67603777125b40d210778d4114a93284ec1		 pdf-font-stream PDF embedded font (cff) at offset 0x93EA7 21505 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.