Malicious PDF — malware analysis report

Static analysis result for SHA-256 170d019b2405d787…

MALICIOUS

PDF

5.52 MB Created: 2008-07-04 20:47:17 +05:30 Authoring application: Adobe Illustrator(R) 8.0 (via Acrobat Distiller 5.0.5 (Windows))
MD5: 5b8025f2cf4fe1f81ecf60c96d9d8e03 SHA-1: 2ea237b41a77d65888db096d82ced346b72d377f SHA-256: 170d019b2405d7879354b32f8ba568189482aa638281978e5ce697745f1650e8
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains JavaScript that checks the viewer version and alerts the user about embedded file attachments, suggesting an attempt to trick the user into interacting with potentially malicious content. Heuristics indicate lures related to advance-fee scams, invoices, and callback phishing, further supporting a malicious intent. The embedded URL http://www.pfcindia.com is also noted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9884

Heuristics 8

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pfcindia.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 20

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj2318_000.js
736c69993d4cd953676f5971bd943955c344f3001c77f281afd5d8df5a456b51		 pdf-javascript-stream PDF /JS object 2318 at offset 0x137C 1379 bytes
stream_030_off00062b02.bin
35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x62B02 557168 bytes
icc_00_off00001b04.icc
e5f6ffb83b6d3491301dd750975684cc5cc2a1951c994a14b08cfdaa0d75a041		 pdf-icc-profile PDF ICC profile at offset 0x1B04 560 bytes
font_00_cff_off002e0528.bin
a614950956fd6535d0bba59c8d46d3a89b50d363cb7086120418cb45d1407b03		 pdf-font-stream PDF embedded font (cff) at offset 0x2E0528 184 bytes
font_01_cff_off00328df9.bin
5ab6cf985ac22b2ab26e4f37e7fd64e13728f0047453db4cf2414cb65487dccb		 pdf-font-stream PDF embedded font (cff) at offset 0x328DF9 184 bytes
font_02_cff_off00332a54.bin
9c4d7c69de9c9ce21b6700a4ece90bc40997bcc82b700b1f4c173dc7012b44f3		 pdf-font-stream PDF embedded font (cff) at offset 0x332A54 184 bytes
font_03_cff_off0033cebe.bin
a12e00bbad52b54d664371933cfc37906500d2e947af0d72bc31ae480f42d4d7		 pdf-font-stream PDF embedded font (cff) at offset 0x33CEBE 184 bytes
font_04_cff_off0034630a.bin
f1e2b9e472213e844c48d62bd05019c62d51aea30c13ffc4db686627adee1e9e		 pdf-font-stream PDF embedded font (cff) at offset 0x34630A 184 bytes
font_05_cff_off00350197.bin
38858852e4bada82770514d54e18c28e06e5879866847860f5166c0d4b90b258		 pdf-font-stream PDF embedded font (cff) at offset 0x350197 184 bytes
font_06_cff_off00351e7d.bin
c5a037295e7296f55f6d7bb279ea62d2a57a1ea63c838aab26e71f220772830a		 pdf-font-stream PDF embedded font (cff) at offset 0x351E7D 184 bytes
font_07_cff_off0035c286.bin
ed9166a8843f47d733e7c61590e48babbc532ecd1289aedf05fc33d64293cd97		 pdf-font-stream PDF embedded font (cff) at offset 0x35C286 184 bytes
font_08_cff_off0036aabe.bin
da3b5124024d725cc9b84bb7cc7553be0974fc5d49ca0a13750b1c7764ff7c99		 pdf-font-stream PDF embedded font (cff) at offset 0x36AABE 184 bytes
font_09_cff_off00373808.bin
21b2bd12be907d8e6eefd80ad0cdf4b3267eb3f5035bb3b8d2424d14e851459b		 pdf-font-stream PDF embedded font (cff) at offset 0x373808 184 bytes
font_10_cff_off003754f1.bin
14fd65edaa211e9be346741dabfe8819494bb638489e64eb15f6b473df0e1494		 pdf-font-stream PDF embedded font (cff) at offset 0x3754F1 2613 bytes
font_11_cff_off003960bc.bin
5bd51ef26e903de4384294736fb28d2e3f5a0b11801df0bd7db2dd110d054719		 pdf-font-stream PDF embedded font (cff) at offset 0x3960BC 5066 bytes
font_12_cff_off003984fe.bin
8b3665f11d038266ad6a55e2fed8234896c1733410356553510f1c749deeff48		 pdf-font-stream PDF embedded font (cff) at offset 0x3984FE 281 bytes
font_13_cff_off003e1edc.bin
55b5aeb668ad331d5e63fdd672b93746d0dc591c9ee0a0aef82bcb58a5dcf749		 pdf-font-stream PDF embedded font (cff) at offset 0x3E1EDC 2731 bytes
font_14_cff_off004426da.bin
b848182807ff6bc1ce36a85407f8a49bee34a5f2b839c3ab189a1bbcde1a9abd		 pdf-font-stream PDF embedded font (cff) at offset 0x4426DA 6340 bytes
font_15_cff_off0044401a.bin
91c0855c0e35061a656d5e42da3899a580c7dcf657493132cec0f41f5cde1c7d		 pdf-font-stream PDF embedded font (cff) at offset 0x44401A 5910 bytes
font_16_cff_off00534b89.bin
1d02382398dd1fbb72ea9645d8359ce254e6f3875bb7b13adaad5b3bb63a878a		 pdf-font-stream PDF embedded font (cff) at offset 0x534B89 5217 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.