Malicious PDF — malware analysis report

Static analysis result for SHA-256 10368309c2d69430…

MALICIOUS

PDF

219.4 KB Created: 2009-03-04 10:09:19 -08:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows)) First seen: 2021-01-23
MD5: 8a781bbaf530aa4e3b4ce02a2e79de60 SHA-1: 1d4b2b604dc01b0af71736af59d7e9bed76c56a6 SHA-256: 10368309c2d69430a59a99ec29fabda4bf64072b5c63f7de017c3e7d18bbadb3
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes functions like String.fromCharCode and eval(), indicating an attempt to obfuscate malicious code. The JavaScript interacts with external URLs such as http://www.trisect.dk/ and http://www.formrouter.com/, suggesting it is designed to download and execute a secondary payload. The ClamAV detection of Pdf.Malware.Agent-9983092-0 further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3262

Heuristics 8

  • ClamAV: Pdf.Malware.Agent-9983092-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-9983092-0
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            }
eval(decrypt(sourceCode,(new Date().getSeconds() % 1)))
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.windjack.com In PDF document text
    • http://www.pdfscripting.comIn PDF document text
    • http://www.trisect.dk/PDF link annotation
    • http://www.formrouter.com/In PDF document text
    • http://www.trisect.dkReferenced by PDF JavaScript
    • http://www.formrouter.comReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by PDF JavaScript
    • http://ns.adobe.com/photoshop/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
JSPopupCalendar.doc pdf-embedded-file PDF EmbeddedFile object 203 at offset 0x11C0E 71168 bytes
SHA-256: f27a827d874af1ac08c33e8c1444b6455ba84923ec12830585794d91f42c5c4e
javascript_obj0072_000.js pdf-javascript-stream PDF /JS object 72 at offset 0x3715 84 bytes
SHA-256: d782d639c45bcaa96880fc9447174b8d7d299f585b1ea79cf5b180ed3f59332a
Preview script
First 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("DateTest2"), true, "ddd mmm d, yyyy");
javascript_obj0075_001.js pdf-javascript-stream PDF /JS object 75 at offset 0x3A2A 86 bytes
SHA-256: 996a31921a7b314305fefd156bb245b28822c0148d0e73418fca006bd7bf7a12
Preview script
First 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("DateTest1"), false, "mm/dd/yyyy");
javascript_obj0079_002.js pdf-javascript-stream PDF /JS object 79 at offset 0x3DC6 85 bytes
SHA-256: 6387eebded479cab3ecfc6ae7580d53e5e71f2a1b2ca26754ba57a2c06fd0577
Preview script
First 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("FormDateField"), false, "mmmm dd, yy");
javascript_obj0081_003.js pdf-javascript-stream PDF /JS object 81 at offset 0x3F87 89 bytes
SHA-256: e351151ec253ccf74999819c5e672de09855e7c7809f62c096d11716fd900a51
Preview script
First 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("FormDateField.1"), false, "mmm d, yyyy");
javascript_obj0171_004.js pdf-javascript-stream PDF /JS object 171 at offset 0x10059 150 bytes
SHA-256: a6ba449cd511cf40387696e604a8ea30b1c722e0fa6a10b4f3ce2261cac916e7
Preview script
First 1,000 lines of the extracted script
if(!event.willCommit)
{
  FormRouter_SetDays(parseInt(event.changeEx), parseInt(getField("FR_00000_Calendar.CalendarYear").value));
}
javascript_obj0224_006.js pdf-javascript-stream PDF /JS object 224 at offset 0x24A72 54 bytes
SHA-256: 3028de115b0e4dfaeb8eab1e550b22c5e6bf071f2e46c19f4e7a236056dc0123
Preview script
First 1,000 lines of the extracted script
/* Set day 2 */
FormRouter_SetCurrentDate("2");
javascript_obj0230_007.js pdf-javascript-stream PDF /JS object 230 at offset 0x2512C 60 bytes
SHA-256: 28d9dbd1b4a87869a308c824e9ede90f042537135484ef44a7c9ad16122e7ca4
Preview script
First 1,000 lines of the extracted script
/* Set day 3 */
	FormRouter_SetCurrentDate("3");
javascript_obj0236_008.js pdf-javascript-stream PDF /JS object 236 at offset 0x257FE 54 bytes
SHA-256: dfa51a9b86cd74123e8a0e369f4b92c9dc95b81d706dba3de1529cb5cc7ed275
Preview script
First 1,000 lines of the extracted script
/* Set day 4 */
	FormRouter_SetCurrentDate("4");
javascript_obj0242_009.js pdf-javascript-stream PDF /JS object 242 at offset 0x25EB8 54 bytes
SHA-256: cd7c981cc4603cde5c751d4a86df821ea0f3bdf6ce2a6a3c3a3e1b71d2fd3dd7
Preview script
First 1,000 lines of the extracted script
/* Set day 5 */
	FormRouter_SetCurrentDate("5");
javascript_obj0248_010.js pdf-javascript-stream PDF /JS object 248 at offset 0x2659D 54 bytes
SHA-256: 2b11ec4ab6212f1d04dfd518b4e7148f5e73f838252b2672c6c4e57b691eebe2
Preview script
First 1,000 lines of the extracted script
/* Set day 6 */
	FormRouter_SetCurrentDate("6");
javascript_obj0254_011.js pdf-javascript-stream PDF /JS object 254 at offset 0x26C57 54 bytes
SHA-256: f9d89262795f905244474dabf7997637dada651edbaf7a286da3f08dc8205cb8
Preview script
First 1,000 lines of the extracted script
/* Set day 7 */
	FormRouter_SetCurrentDate("7");
javascript_obj0260_012.js pdf-javascript-stream PDF /JS object 260 at offset 0x27311 54 bytes
SHA-256: d1dca82399c05b1bd956713048cf5224a9360c8c9722b228789df23841ca9693
Preview script
First 1,000 lines of the extracted script
/* Set day 8 */
	FormRouter_SetCurrentDate("8");
javascript_obj0266_013.js pdf-javascript-stream PDF /JS object 266 at offset 0x279C9 54 bytes
SHA-256: 940e9253698d2df6789af910a67255e9b94d379e0c0679bda19672db05a0d396
Preview script
First 1,000 lines of the extracted script
/* Set day 9 */
	FormRouter_SetCurrentDate("9");
javascript_obj0272_014.js pdf-javascript-stream PDF /JS object 272 at offset 0x28083 56 bytes
SHA-256: 27349853cead109b42036ca1ddac0f560e69677c8fc0e99552c3136fbe9066ff
Preview script
First 1,000 lines of the extracted script
/* Set day 10 */
	FormRouter_SetCurrentDate("10");
javascript_obj0278_015.js pdf-javascript-stream PDF /JS object 278 at offset 0x28741 56 bytes
SHA-256: e0c06a9a5bb90dc10801f6cd7fbe170ba7709786366597b122dabf4e5b95be2d
Preview script
First 1,000 lines of the extracted script
/* Set day 11 */
	FormRouter_SetCurrentDate("11");
javascript_obj0284_016.js pdf-javascript-stream PDF /JS object 284 at offset 0x28DFF 56 bytes
SHA-256: 0e1a45b7fc760bfebc03e3b33fe4a6d924f98c651595f4cb340138bb494faae8
Preview script
First 1,000 lines of the extracted script
/* Set day 12 */
	FormRouter_SetCurrentDate("12");
javascript_obj0290_017.js pdf-javascript-stream PDF /JS object 290 at offset 0x294BF 57 bytes
SHA-256: 902c8366f14e09e2e38570a9eb9a26e0e6a1274cc39f841ee9f68254c668c241
Preview script
First 1,000 lines of the extracted script
/*  Set day 13 */
	FormRouter_SetCurrentDate("13");
javascript_obj0296_018.js pdf-javascript-stream PDF /JS object 296 at offset 0x29B81 56 bytes
SHA-256: cb132c85677fd2be28f5d55c3bb7239b7f30ab5d3494e33500a9ea72704899e9
Preview script
First 1,000 lines of the extracted script
/* Set day 14 */
	FormRouter_SetCurrentDate("14");
javascript_obj0302_019.js pdf-javascript-stream PDF /JS object 302 at offset 0x2A23F 56 bytes
SHA-256: 445acad33f8b7efeb8dc5a1c8ee11777d817f15664009bee9081f2e4e9a39a7d
Preview script
First 1,000 lines of the extracted script
/* Set day 15 */
	FormRouter_SetCurrentDate("15");
javascript_obj0308_020.js pdf-javascript-stream PDF /JS object 308 at offset 0x2A8FD 56 bytes
SHA-256: 428c460c0da76e767c2f8b817bf4c95ad7855a9489cbc5da4187c68102f40021
Preview script
First 1,000 lines of the extracted script
/* Set day 16 */
	FormRouter_SetCurrentDate("16");
javascript_obj0314_021.js pdf-javascript-stream PDF /JS object 314 at offset 0x2AFBD 56 bytes
SHA-256: c4115f4f95a1bd391913a4936b713d6be1a0c0216553bc6cc5362611e7344a20
Preview script
First 1,000 lines of the extracted script
/* Set day 17 */
	FormRouter_SetCurrentDate("17");
javascript_obj0320_022.js pdf-javascript-stream PDF /JS object 320 at offset 0x2B67D 56 bytes
SHA-256: fe32398961094fbfb2eaafaf6b3bb4fc8a47b15f0704a6a1f8fc3dd246887f6d
Preview script
First 1,000 lines of the extracted script
/* Set day 18 */
	FormRouter_SetCurrentDate("18");
javascript_obj0326_023.js pdf-javascript-stream PDF /JS object 326 at offset 0x2BD3D 62 bytes
SHA-256: a36f70fbc96a5ba20a0df7d2785518ecf611e42839142e7b1a6226df7fede1bf
Preview script
First 1,000 lines of the extracted script
/* Set day 19 */
	FormRouter_SetCurrentDate("19");
javascript_obj0332_024.js pdf-javascript-stream PDF /JS object 332 at offset 0x2C415 56 bytes
SHA-256: c73585801a9629d21c19497b569d7843840a9be0f202122dbf273134ca7fb2b7
Preview script
First 1,000 lines of the extracted script
/* Set day 20 */
	FormRouter_SetCurrentDate("20");
javascript_obj0338_025.js pdf-javascript-stream PDF /JS object 338 at offset 0x2CAD5 56 bytes
SHA-256: 580acc352787c4a6c0a7836d4bfcf9ffb1b2b9896ccb1fbe254b668483ce0d5d
Preview script
First 1,000 lines of the extracted script
/* Set day 21 */
	FormRouter_SetCurrentDate("21");
javascript_obj0344_026.js pdf-javascript-stream PDF /JS object 344 at offset 0x2D195 56 bytes
SHA-256: 7f6991f19175ea63adacc0932087dad1898fa86177e461e7eb7e385d495a731f
Preview script
First 1,000 lines of the extracted script
/* Set day 22 */
	FormRouter_SetCurrentDate("22");
javascript_obj0350_027.js pdf-javascript-stream PDF /JS object 350 at offset 0x2D855 56 bytes
SHA-256: f1d645ff3ec500f0048bc66b13624594caa254589d8f2ae46c803f2bd9019ca9
Preview script
First 1,000 lines of the extracted script
/* Set day 23 */
	FormRouter_SetCurrentDate("23");
javascript_obj0356_028.js pdf-javascript-stream PDF /JS object 356 at offset 0x2DF15 56 bytes
SHA-256: 4e5d77d74e314a957f00ff03e8d179e179edef9650931db4dec6e9f6ee147642
Preview script
First 1,000 lines of the extracted script
/* Set day 24 */
	FormRouter_SetCurrentDate("24");
javascript_obj0362_029.js pdf-javascript-stream PDF /JS object 362 at offset 0x2E5D5 56 bytes
SHA-256: fe3b638668c71ba5bcc53d13cb36a72c7e938289c6cecb6a1b693f00c77db452
Preview script
First 1,000 lines of the extracted script
/* Set day 25 */
	FormRouter_SetCurrentDate("25");
javascript_obj0368_030.js pdf-javascript-stream PDF /JS object 368 at offset 0x2EC91 56 bytes
SHA-256: fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5
Preview script
First 1,000 lines of the extracted script
/* Set day 26 */
	FormRouter_SetCurrentDate("26");
javascript_obj0374_031.js pdf-javascript-stream PDF /JS object 374 at offset 0x2F37D 56 bytes
SHA-256: 96c4e6976d16b424ff02d7ef3fdabf41262d3ffc6a191431dc77176a814c1256
Preview script
First 1,000 lines of the extracted script
/* Set day 27 */
	FormRouter_SetCurrentDate("27");

Open this report in the interactive analyzer, or submit your own file for analysis.