Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b3dc280d505d78f…

MALICIOUS

PDF

666.5 KB Created: ŽÌ›<jévYÆ~휯æ·ê•ï&"›¾€N¿C?š~Ú+¬ÃɊ°}Õ3C  Authoring application: µimÏr¯˜g3|pdÜ$•“ÅÑ|¥¯I<_ó¢½>‰)Qbž’ŠGyñE²m+ùqüS4 &¥×Mlhf’™L5 (via dŸ²}@¤·æÁÄ@­9¼Îo_% ¨¹&ÀÌß>&‚15yqXgIOü) First seen: 2015-09-18
MD5: 2a2c779f9e2b3ad5a422ba506dd84970 SHA-1: 9143170b72fe68061dcf6eefd0e12b9ec300001d SHA-256: 1b3dc280d505d78f393ee1da4961686245e2ae2391c5c89e38326f627f50413a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains an embedded SWF file which ClamAV identifies as malicious, likely an exploit kit component. The PDF itself is encrypted and appears to be an image-only lure, indicating a multi-stage attack. The presence of an embedded, undecodable file further supports the malicious nature.

Machine Learning

  • Nyx PDF Classifier clean score 0.0373

Heuristics 7

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODED
    A declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.deltatestingltd In PDF document text
    • http://www-935.ibm.com/services/us/en/security/infographic/cybersecurityindex.htmlIn PDF document text
    • http://dealbook.nytimes.com//2014/10/02/jpmorgan-discovers-further-cyber-security-In PDF document text
    • http://www.ft.com/cms/s/0/3d9d6f24-5524-11e4-89e8-00144feab7deIn PDF document text
    • http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.htmlIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8_swf_infected.swf pdf-embedded-file PDF EmbeddedFile object 675 at offset 0x9D529 38178 bytes
SHA-256: a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8
Detection
ClamAV: Swf.Exploit.Kit-117
Obfuscation or payload: likely
actual_type=SWF; declared_or_context_type=PDF; filename=a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8_swf_infected.swf; kind=pdf-embedded-file Carved artifact entropy is 7.98, consistent with packed or encrypted content.
icc_00_off0003e093.icc pdf-icc-profile PDF ICC profile at offset 0x3E093 1960 bytes
SHA-256: cda96247dc9e5f58d9de130f6288b8b43bca6c23ebc1b62f1aaaa03c45284fd2
font_00_sfnt_off00069ec6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69EC6 36767 bytes
SHA-256: 2980e7cbe4ae992efb9eacf062469367b57cc35eb36596a0dd649f90e7f901a3
font_01_cff_off000724ad.bin pdf-font-stream PDF embedded font (cff) at offset 0x724AD 4646 bytes
SHA-256: 719d02109977adbbe4b80a78f4b0d53c841368a74d3cc491b8625829b41c8efd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
embedded_file_obj0675_undecoded.bin pdf-embedded-file-undecodable PDF EmbeddedFile object 675 at offset 0x9D892; filter decode failed 35744 bytes
SHA-256: 635dace94b83a5791f9f9d55230859656e4bb9f8dee5d9eacbf373e542cc0e66
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.