Malicious PDF — malware analysis report

Static analysis result for SHA-256 0992b40b16722f0b…

MALICIOUS

PDF

401.9 KB Created: 2011-04-18 15:20:20 +08:00 Authoring application: PDFCreator Version 0.9.6 (via GPL Ghostscript 8.63)
MD5: 86c91f4ebd291ae3869d48982f775cc8 SHA-1: 1b963f3985ad40747ac1390665f531bf2f411767 SHA-256: 0992b40b16722f0b75234778b8de0d0bd3e47489152a40dd9a509a7ad7a5edff
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file exhibits multiple high and critical heuristic firings, including ML classification and detection of embedded malicious content. Specifically, it contains embedded files and rich media (Flash), with a secondary embedded PDF showing suspicious static findings. The presence of embedded artifacts suggests an attempt to deliver a malicious payload, likely via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8915

Heuristics 5

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0026_00.bin
0841ed6ca2149b386133777ff3868f6222ba5033d6f52cd654a117610818bd40		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1084 bytes
polyglot_child_pdf_off0000b129.pdf
2161c98dbfc62e1e68b82e23d25f87329ec077249cfe88be57612020a42d92df		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB129 366205 bytes
polyglot_child_pdf_off00062fb9.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x62FB9 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.