PDF malware analysis — malicious · 13b75054e91e7ddc

MALICIOUS

PDF

1010.8 KB Created: 2010-11-15 14:39:56 +09:00 Authoring application: oÍpQuarkXPressþ -Trueflow: AdobePS 8.7.0 (via PDF Polisher Pro 3.12 205)

MD5: 103c8b66c224933edf05530674987b21 SHA-1: 95d268755d27e9f9cfb173422b79ab3a5b7cf1b7 SHA-256: 13b75054e91e7ddc9e9e9fc374a615fff096379887531d8193b79ebf54c28c18

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file exhibits multiple critical heuristic firings related to suspicious embedded objects and cross-reference table mismatches, indicating it is likely designed to exploit vulnerabilities or deliver a secondary payload. The presence of embedded artifacts and the 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' rule strongly suggest malicious intent, potentially for client-side exploitation. While no specific URLs were flagged as malicious, the overall structure and heuristic findings point towards a malicious document.

Machine Learning

Nyx PDF Classifier clean score 0.0134

Heuristics 4

Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_012_off00001fdb.bin` `efb952623a6ca924c162bfb35ad1ac483977f21576c8e2ffa75616868bcd2407`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1FDB	85192 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.47, consistent with packed or encrypted content.
`stream_107_off0005b648.bin` `d80878cfddb8638333cd2c7fd75656db7345178ab27df1c526bbc5e4da6c7e6c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5B648	95176 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.47, consistent with packed or encrypted content.
`font_00_cff_off000006b2.bin` `ecdfda83506bda48394ee4faf22e1b05e9f4bb4a8d8ba8d3f5a7697c52e92344`	pdf-font-stream	PDF embedded font (cff) at offset 0x6B2	1292 bytes
`font_02_cff_off00015e14.bin` `d5a9e899488dcac43f85e708e3e7b8c937f5d80dba4d6e460b2060adf21a0568`	pdf-font-stream	PDF embedded font (cff) at offset 0x15E14	823 bytes
`font_03_cff_off00016b1e.bin` `e1058840affba07c808d1aa13b1416eb0d9134d78520651acd35c08771c3e27b`	pdf-font-stream	PDF embedded font (cff) at offset 0x16B1E	14445 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.44, consistent with packed or encrypted content.
`font_04_cff_off0001d4a4.bin` `df33ddedb2a3085c5b36842b4a84acaa88e0d288241db0014d5d9d4c54fbc412`	pdf-font-stream	PDF embedded font (cff) at offset 0x1D4A4	803 bytes
`font_05_cff_off0002aeb1.bin` `18cb68c650f0af5900491a4d214564ef6621b9562e4b45b492f9bef18ca78aa5`	pdf-font-stream	PDF embedded font (cff) at offset 0x2AEB1	12344 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`font_06_cff_off0002df0d.bin` `d709131218687eb3e6399d879a889cac32215356604f29bb626ec36e176b11f0`	pdf-font-stream	PDF embedded font (cff) at offset 0x2DF0D	342 bytes
`font_07_cff_off0002e556.bin` `612701c4323c0e0158ca6d30bd7908d26dee372a66e960dd6a94b7f9bda0a36f`	pdf-font-stream	PDF embedded font (cff) at offset 0x2E556	7956 bytes
`font_08_cff_off0003189c.bin` `e2754abdb88a10adf4ebe2d8e475217c06f8c0f8197b9db99f77ca6b67168d2a`	pdf-font-stream	PDF embedded font (cff) at offset 0x3189C	14929 bytes
`font_09_cff_off00035c64.bin` `16e813d9046ceba2f8b6e7a4e16488a5fcab8d60cedaf40d44b71a26d85531cf`	pdf-font-stream	PDF embedded font (cff) at offset 0x35C64	8434 bytes
`font_10_cff_off00038e12.bin` `b1b2634dd3c85ee150871c5fdd8eeaf116bc6e47c9e079ddca57f87da1879c77`	pdf-font-stream	PDF embedded font (cff) at offset 0x38E12	8115 bytes
`font_11_cff_off0003b53b.bin` `5f912a2bf52609052c7f5dab22910ad880eb567eb39fc6169227b4b23456d3cf`	pdf-font-stream	PDF embedded font (cff) at offset 0x3B53B	8083 bytes
`font_12_cff_off0003d543.bin` `cf43e84ab45a8e28c46c8620666443f69cd189fadb6db4cf24e75a75ddc7fa9a`	pdf-font-stream	PDF embedded font (cff) at offset 0x3D543	547 bytes
`font_13_cff_off000563aa.bin` `3f7ab50288656b6f6328078e3a357d161815d2cee47239594cc9e3023a6d495d`	pdf-font-stream	PDF embedded font (cff) at offset 0x563AA	331 bytes
`font_14_cff_off00057045.bin` `9ad4d2ce9773e5e2b1234038383e8ddff16c3df28fd37351341bdbcd7f377245`	pdf-font-stream	PDF embedded font (cff) at offset 0x57045	4893 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.44, consistent with packed or encrypted content.
`font_15_cff_off000585cb.bin` `9a4016eb023e59672c4271ef5143ff9701a4e1d34a3b3c9d91489a361bd25823`	pdf-font-stream	PDF embedded font (cff) at offset 0x585CB	588 bytes
`font_16_cff_off0005a8c7.bin` `bd02af0855f2cb5709e777b056b7a1b4cdfea7561128621148fda5a45e1ea087`	pdf-font-stream	PDF embedded font (cff) at offset 0x5A8C7	331 bytes
`font_18_cff_off00071971.bin` `ab4a6259b218a9d10133851f0007f083255e89e752ae15dc37e18aabbd64fadb`	pdf-font-stream	PDF embedded font (cff) at offset 0x71971	588 bytes
`font_19_cff_off000723cd.bin` `b7d3446a0e5a99c667c729608c13f4af15610dead6ba9b155a0e221267b2488d`	pdf-font-stream	PDF embedded font (cff) at offset 0x723CD	14445 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.44, consistent with packed or encrypted content.
`font_20_cff_off00076411.bin` `eb067fdbca2c9428bcf4bfb3b18e277339d35e4aed8d9c4062babd9854638d10`	pdf-font-stream	PDF embedded font (cff) at offset 0x76411	1231 bytes
`font_21_cff_off0007729b.bin` `12bf3173a549382b42e0e99babeddea956696ded76d613e13bd7e24ed4051a09`	pdf-font-stream	PDF embedded font (cff) at offset 0x7729B	14655 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`font_22_cff_off0007aae3.bin` `5de88e9ecab8513884d30986621d9ca882b675bd8bdf3f757668afad1abf862f`	pdf-font-stream	PDF embedded font (cff) at offset 0x7AAE3	749 bytes
`font_23_cff_off0007b346.bin` `e681eafe01f68834aef757fb4bc24fab3b039ffbf5f0f0e477995ddfa0974bbe`	pdf-font-stream	PDF embedded font (cff) at offset 0x7B346	8095 bytes
`font_24_cff_off0007d91d.bin` `136410e444a9e3f73df08e96ecf635ce20edf86f37c93fdf29c574e87658cdd9`	pdf-font-stream	PDF embedded font (cff) at offset 0x7D91D	537 bytes
`font_25_cff_off0007f103.bin` `e3db125e1b8db212de994880d891dea19330b73c1355ab2e10d8a751e7f9aa98`	pdf-font-stream	PDF embedded font (cff) at offset 0x7F103	9439 bytes
`font_26_cff_off00081e72.bin` `e16d0b83ef02f877b7377af19a631e7a9a6d72f038c7cfedc562ff7ac60160b3`	pdf-font-stream	PDF embedded font (cff) at offset 0x81E72	8434 bytes
`font_27_cff_off00091eb8.bin` `c66414fbacae32d52161b4160133ce1d37421ca2759cc4096f234cb3d7fca026`	pdf-font-stream	PDF embedded font (cff) at offset 0x91EB8	5938 bytes
`font_28_cff_off00093e65.bin` `fe7d0b27ae103789124cf790bfedbef6b14d75542daa5ca0cc9639b7dc93072c`	pdf-font-stream	PDF embedded font (cff) at offset 0x93E65	8477 bytes
`font_29_cff_off000b19c1.bin` `2998ba42adf9dda7de2d90d61697218ff4e9677b4eb02b15419b2e65aeb20764`	pdf-font-stream	PDF embedded font (cff) at offset 0xB19C1	3588 bytes
`font_30_cff_off000b36d7.bin` `2440bac082afce6b7e4d9e1ff860f121fce514fe630d627f29da501456ec3895`	pdf-font-stream	PDF embedded font (cff) at offset 0xB36D7	4893 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.44, consistent with packed or encrypted content.
`font_31_cff_off000b4c3c.bin` `88f4fe828626a59eb96de528bd3275c47c5aa1086574ffe94a5de89625b59692`	pdf-font-stream	PDF embedded font (cff) at offset 0xB4C3C	547 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.