Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bf0987969094a27…

MALICIOUS

PDF

213.6 KB Created: 2013-02-27 10:37:10 -06:00 Authoring application: QuickLinQs 5.0 (via PDFlib+PDI 6.0.3 (.NET/Win32))
MD5: 1976ff692a3b21a8d6959d0ada322a74 SHA-1: 28841b1d4a6e2fecbd3c0407b382a83797829308 SHA-256: 1bf0987969094a270d9612c1787590f6f8e7109e4bf3a2d4fd70566be37b546f
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of a POLYGLOT_CHILD_PDF_STATIC_TRIAGE rule suggests a nested PDF structure with suspicious findings. The JavaScript actions, combined with the PDF's image-only lure and embedded URLs, strongly suggest it's designed to download and execute a secondary payload. The exact intent of the JavaScript is not fully discernible due to potential obfuscation, but the overall pattern points to a downloader. The document body is unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2676

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.innocalsolutions.com/default.asp?referred_id=
    • http://www.masterflex.com/index.asp?referred_id=
    • http://www.4oakton.com/?referred_id=
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://www.coleparmer.com/home.aspx?referred_id=
    • http://www.coleparmer.com/Product/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0205_000.js
5013ae210f185f324444c5503254a24d134aa01a19a7935beea1e8070519917c		 pdf-javascript-stream PDF /JS object 205 at offset 0x2DE39 81 bytes
javascript_obj0206_001.js
9921773e6c2168b7f46a7177892b4345297532400ef9a5a345d320ccb5ff0fbe		 pdf-javascript-stream PDF /JS object 206 at offset 0x2DEC1 64 bytes
javascript_obj0295_032.js
fdba0f174d2d75ea28ded05dca99a18beed6ac1b209e6ceb6b558dccae6fa8d4		 pdf-javascript-stream PDF /JS object 295 at offset 0x3280D 2346 bytes
icc_00_off0000acee.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xACEE 3144 bytes
font_00_cff_off00016270.bin
1f6ad89482caa1ccdbcdda604cef584ae78fa849418012968b9c177bd8c286f2		 pdf-font-stream PDF embedded font (cff) at offset 0x16270 788 bytes
font_01_cff_off00016efd.bin
7e209cc29addfd5bf5520bd2e6d316e4053ab9cab9bc2808081df6d146dbd0ea		 pdf-font-stream PDF embedded font (cff) at offset 0x16EFD 8856 bytes
font_02_cff_off000195c5.bin
18936ae00b1753a1a2d127898af62aaf2688c739b71fb0fa26adb81cc51f1ddf		 pdf-font-stream PDF embedded font (cff) at offset 0x195C5 6513 bytes
font_03_cff_off0001b43b.bin
e8b68087cab38440e7b26248aed056f09b17d22c05f67b40ccf32a86dc921a0a		 pdf-font-stream PDF embedded font (cff) at offset 0x1B43B 8426 bytes
font_04_cff_off0001d9a0.bin
34e70eabce3f378c05c7208eff7508083aaef100e37910c84cd60d02b028e2f0		 pdf-font-stream PDF embedded font (cff) at offset 0x1D9A0 7449 bytes
font_05_cff_off0001fb39.bin
6510a3044200fe26bf164e082035f3d228b81ce4d2cc252187327c2e43a16ad5		 pdf-font-stream PDF embedded font (cff) at offset 0x1FB39 6624 bytes
font_06_cff_off0002156c.bin
3a58bc3d62b90f3a592f00eb18eb9135735bc88645fd775e4a0e0c2aefc56225		 pdf-font-stream PDF embedded font (cff) at offset 0x2156C 1675 bytes
font_07_cff_off00021fac.bin
12e1b26a3a93159dfef12fe4a466101db3e70a4df9d1e1fc03bacc92935011b3		 pdf-font-stream PDF embedded font (cff) at offset 0x21FAC 3937 bytes
font_08_cff_off00023568.bin
e60c955ce24fe7f543377e1a851711049786332e96e3ba29e621fa6526409dde		 pdf-font-stream PDF embedded font (cff) at offset 0x23568 7239 bytes
polyglot_child_pdf_off00000009.pdf
f2d878a75d8486605411deeffd37b8cfb5469b910dd34487752483dd4854e5c7		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x9 218689 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.