Malicious PDF — malware analysis report

Static analysis result for SHA-256 174561b788f6c0f7…

MALICIOUS

PDF

3.17 MB Created: 2013-10-08 13:14:45 -04:00 Authoring application: Adobe InDesign CS6 (Macintosh) (via 3-Heights(TM) PDF Producer 4.2.26.0 (http://www.pdf-tools.com))
MD5: caa3a36b6e8a0f28e72c4d26c243e580 SHA-1: fcaa4eefe58fe634801eb9200894599a1017c58a SHA-256: 174561b788f6c0f7085ca41a52850697995293ab760f66d02f4dc1cee594a46b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document identified by ClamAV as exploiting CVE-2018-15984. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' indicates the document's content is designed to trick users into paying fees for a non-existent prize or parcel. The high stream count suggests obfuscation techniques were employed to hide the exploit.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3920

Heuristics 5

  • ClamAV: Pdf.Exploit.CVE_2018_15984-6807148-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.CVE_2018_15984-6807148-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.istqb.org/downloads/glossary.html
    • http://www.processimpact.com/pr_goodies.shtml
    • http://www.aonix.com/pdf/2140-AON.pdf
    • http://www.taylorandfrancis.com
    • http://www.crcpress.com
    • http://www.crcpress.com/product/isbn/9781466560680
    • http://www-306.ibm.com/software/
    • http://www.crcpress.com/product/isbn/���
    • http://www.crcpress.com/prod���uct/���
    • http://www.faa.gov/about/office_org/headquarters_offices/ang/offices/tc/library/
    • http://www.pdf-tools.com

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00003da1.bin
9bdb5f28b444880985f290672f47894054220d3e49f125e8dea66a2d9c24d1ed		 pdf-font-stream PDF embedded font (cff) at offset 0x3DA1 4518 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_01_cff_off00018fa9.bin
3122172964a9a086467355696a2eb3f9a4138c6acf0392a6edf71c86d42c7c7d		 pdf-font-stream PDF embedded font (cff) at offset 0x18FA9 4407 bytes
font_02_cff_off0002e1e6.bin
8df48396aed50b7ebcf20893176276eeea1e0d6d590ef2188a53f6310fa3b71d		 pdf-font-stream PDF embedded font (cff) at offset 0x2E1E6 4920 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_03_cff_off00035f36.bin
eafe5df9ba52e236d2a2a3de0ea89e460d38be395a32954f36134208071b6433		 pdf-font-stream PDF embedded font (cff) at offset 0x35F36 7684 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_04_cff_off0004c16b.bin
7187075a1d1fd5da72624f9be6a26f500501182676cefc8a137b88df3986bbb6		 pdf-font-stream PDF embedded font (cff) at offset 0x4C16B 335 bytes
font_05_cff_off0004c685.bin
2f1f598251f1527a93f849c3b4b2fe1bd1a13c54b32deec381b1e4ce74099226		 pdf-font-stream PDF embedded font (cff) at offset 0x4C685 1718 bytes
font_06_cff_off0009ee4d.bin
2e3aa73ed9b0ff37dbc8c3b41870a0df0a1a592ad6b155b5c1edb013535eab47		 pdf-font-stream PDF embedded font (cff) at offset 0x9EE4D 463 bytes
font_07_cff_off000b68d6.bin
4d4612564acd75fa1f178b92831cf29a63c28d46484cf2c4495709409170a307		 pdf-font-stream PDF embedded font (cff) at offset 0xB68D6 5650 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.47, consistent with packed or encrypted content.
font_08_cff_off000ba047.bin
0f1f38ceae3c931fb8cb720cf9f2846b833f387aa87373f427aa01bb4b5fdb6b		 pdf-font-stream PDF embedded font (cff) at offset 0xBA047 6828 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_09_cff_off000c9650.bin
629dadf409013e2771c578bf093346afd1e02115205ff682ab77f2c5a2ec42fc		 pdf-font-stream PDF embedded font (cff) at offset 0xC9650 3474 bytes
font_10_cff_off000ce728.bin
b190f12262d95716d443a2bb0863555a21f8c900dcb2b1400b6661db4d1cca6a		 pdf-font-stream PDF embedded font (cff) at offset 0xCE728 4236 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_11_cff_off000d7d62.bin
0cefe080ccbdca5ba8ae1ebaa4d051969761be1781fb92043897959a4824937e		 pdf-font-stream PDF embedded font (cff) at offset 0xD7D62 3382 bytes
font_12_cff_off00100ec8.bin
bc9b88c63f9b6838e35a296004414b429463302185b636d53cd5cadc49b8335d		 pdf-font-stream PDF embedded font (cff) at offset 0x100EC8 6615 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_13_cff_off00106c00.bin
593e95e65d383c33abc266c81a4e665bdd61c2349fb17a02be869158a1f8b08e		 pdf-font-stream PDF embedded font (cff) at offset 0x106C00 5176 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_14_cff_off001099a9.bin
cc68dbb360e595f8f27adbc3dd03db6090671f62274467c382ca7f96ae4abaf5		 pdf-font-stream PDF embedded font (cff) at offset 0x1099A9 5082 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_15_cff_off0011c8d3.bin
0c4740561b75bf465fde0483ff317488ec16245b427d9a33e4a536e0a3186e9b		 pdf-font-stream PDF embedded font (cff) at offset 0x11C8D3 6441 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.47, consistent with packed or encrypted content.
font_16_cff_off0013ac7f.bin
791753e4feae77b34a3e682374862519773a1570f83ce4fcb56e9f3d1c9dfdd3		 pdf-font-stream PDF embedded font (cff) at offset 0x13AC7F 5875 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_17_cff_off00159d6e.bin
26694c1fc4ffbca8ebb4c950a56e93c3247a7278988020cb468fc004d91043c7		 pdf-font-stream PDF embedded font (cff) at offset 0x159D6E 4799 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_18_cff_off001652e5.bin
5cc803787ebcda6df4f4291cf3f3fef7e2aec0b9cd534487cad382ffc03401ad		 pdf-font-stream PDF embedded font (cff) at offset 0x1652E5 7515 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_19_cff_off00168b44.bin
8599bdf13ac7b01560308d5e8cba0b90df37e92fd07246844e54038f2851f85e		 pdf-font-stream PDF embedded font (cff) at offset 0x168B44 3281 bytes
font_20_cff_off0017b4b7.bin
2af58dd31f7ff471d74897bb2e4997ed5f2273e9319262c9afcb540e0d010232		 pdf-font-stream PDF embedded font (cff) at offset 0x17B4B7 6281 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_21_cff_off001991ef.bin
76dc470f449c897380f8a4997c1a87627cc200f85d241f3e58268a87373ed99f		 pdf-font-stream PDF embedded font (cff) at offset 0x1991EF 4488 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_22_cff_off001a5dd9.bin
42a6dfe2f42f34be2105aab210d2d2b9e1779f6d9abb4ceb18e2a4a4454f11d2		 pdf-font-stream PDF embedded font (cff) at offset 0x1A5DD9 4777 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_23_cff_off001c5c21.bin
7cb2a6c5ac01269ab74dc9122ddbfe432e1b172c478f40d826a6828a6a0cdc65		 pdf-font-stream PDF embedded font (cff) at offset 0x1C5C21 2278 bytes
font_24_cff_off001c64ed.bin
9f2de66dfb669c1e5d8a58d75e8ae3fbde740243f98bcf8eadcdb5bd2fd891fd		 pdf-font-stream PDF embedded font (cff) at offset 0x1C64ED 295 bytes
font_25_cff_off001cfa4b.bin
1d8a6bc19fe03193e86c8ad69e3063862033cecd16e956cd8068b09b502bec8f		 pdf-font-stream PDF embedded font (cff) at offset 0x1CFA4B 7274 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_26_cff_off001d3472.bin
9a37bf07cfc3164b5309b73640f0060ce6937141fbde8b9d4da9b410d10f20d3		 pdf-font-stream PDF embedded font (cff) at offset 0x1D3472 6890 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_27_cff_off001d685d.bin
f5679ae753d2edc35b9f72008dbd5d85dc884c4b6a2d9f28b5f71e95a21c80ce		 pdf-font-stream PDF embedded font (cff) at offset 0x1D685D 7878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_28_cff_off001e1969.bin
0fe7c423fb9b8ae469e8530e8b483ed59c6cef40d948f0a7141aae7f0bcd5693		 pdf-font-stream PDF embedded font (cff) at offset 0x1E1969 4170 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_29_cff_off001e79ad.bin
7152120b34ca629be666df3a81c464a04df69252e89d1223c3edd7f723a641fd		 pdf-font-stream PDF embedded font (cff) at offset 0x1E79AD 3842 bytes
font_30_cff_off001ebc5c.bin
825b0a058d8028f871c00b7a1c2ab7517d0cfc1295a3e5debd6da05ba17f5c97		 pdf-font-stream PDF embedded font (cff) at offset 0x1EBC5C 4847 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_31_cff_off001f616a.bin
fc67cd8a88aed972fdd7f6e27b95f33e7e481726d18fae1b81aff08b1d52a7d5		 pdf-font-stream PDF embedded font (cff) at offset 0x1F616A 4540 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.