Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ee161c0f0450c01…

MALICIOUS

PDF

315.0 KB Created: 2010-11-12 16:05:24 +08:00 Authoring application: pdfFactory Pro www.fineprint.cn (via pdfFactory Pro 2.53 (Windows XP Professional Chinese))
MD5: 06830e3b13d06eb9170321329416da47 SHA-1: 312497a851a163a1c6f8b9c96e8ed07163b01b57 SHA-256: 0ee161c0f0450c017d231eb2792f652e5e88497858c92c05bd8580dd0a436de1
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

This PDF file was flagged as malicious by multiple heuristics, including ML classification and ClamAV detection (Win.Trojan.Agent-36159). It contains embedded JavaScript and a secondary embedded PDF, suggesting it's designed to deliver a further stage of malware. The presence of RichMedia (Flash) and embedded files further supports this. The primary attack vector appears to be exploiting PDF vulnerabilities or tricking the user into executing embedded content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8518

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Win.Trojan.Agent-36159 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36159
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fineprint.cn
    • http://100.cca.gov.tw
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off00018dd8.bin
3936ffdc8106abdc179d8c35b271ab1e3cba1f4aabad7952dd0dc72a489624d5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18DD8 13181 bytes
objstm_0027_00.bin
667b2c75ccf7ac530ab7ab1335ed88701c878c9bd33ce7626a853b18be32e7d1		 pdf-objstm-decoded PDF /ObjStm 27 0 obj (inflated) 1170 bytes
font_00_sfnt_off0001be5c.bin
95cb583b460b4a36e752844ef7447450df261865cbd9e66c596541230c1b9961		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BE5C 68056 bytes
font_01_sfnt_off000248d6.bin
4fea26d60e714581cf4b8597cf5cdf3806e3198c789aa48beacfe9fd4faf3b51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x248D6 9204 bytes
font_02_sfnt_off00026842.bin
ad7c77fb8e339e9befc386a6ef9f159184a8960e92351d6f761ba9046e9095fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26842 8568 bytes
font_03_sfnt_off000289bb.bin
2c61db7b255f6a13184eb55b08f98bfc60383183da886a607bb9e90c9e27def6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x289BB 71152 bytes
font_04_sfnt_off00031b48.bin
11e296a4cc19a14fa99e0933229fb082d3b79d68b9b9fca3923c9f05709e036f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31B48 73524 bytes
font_05_sfnt_off0003b1b3.bin
6fa4cff8541caa58db133a0a159ecfa17e1d6dfa917cfada26bd25d20fa6d91c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B1B3 72796 bytes
font_06_sfnt_off0004445d.bin
ba4d67f4081bc1a581551c8f616bf9422595207438fd88cf70e4308a16b88c0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4445D 59432 bytes
font_07_sfnt_off0004be8d.bin
da221eaf9c0703b15f52b4a6970fa71a439df3d18f75c8d84d8a42bde6044dfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BE8D 3200 bytes
polyglot_child_pdf_off00018c79.pdf
61948d98680e48aff6e2fd436ee823bbaaa121e700d2e25ea8fffc53a71c81be		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x18C79 221102 bytes
polyglot_child_pdf_off0004d43a.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x4D43A 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.