Jaff — PDF malware analysis

Static analysis result for SHA-256 0e3adf0314c28862…

MALICIOUS

PDF

66.3 KB Created: 2017-06-05 11:43:51 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 11cc41a79308a22d2b11ca6621d8874a SHA-1: cf5d80f7c438a6555f16c33db16e5991e18d6042 SHA-256: 0e3adf0314c28862e2ebbb80e985734afef46f41155891b31d75d095aa2d2e24
174 Risk Score

Malware Insights

Jaff · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that, when executed, attempts to export a file named 'Invoice_796400.docm'. This embedded file was also detected by ClamAV as 'Doc.Downloader.Jaff-6329915-0', indicating a downloader functionality. The ML classifier and ClamAV detections strongly suggest malicious intent, likely for delivering a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Doc.Downloader.Jaff-6329915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jaff-6329915-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Invoice_796400.docm
e8cb52e2f2f6b6cb62dd08bf61c10181d00a3ba206e6590293ce7d94abba9029		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x5F7 67359 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6329915-0
Obfuscation or payload: unlikely
javascript_obj0004_000.js
53240d7800d21dcc74092141d40188930fd5ca9708da3a93f7b7d8d842c7f020		 pdf-javascript-stream PDF /JS object 4 at offset 0x102B1 197 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.