Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fabfe945831878d…

MALICIOUS

PDF

91.8 KB Created: 2009-02-12 18:45:18 +01:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 8d545de2b61a75b3cf4904277b8544a9 SHA-1: 1f63e7ef202f23f5e98e7dea8ed6b7c790a5d130 SHA-256: 1fabfe945831878d4ba1bec44bcadcd4661a081cbd6d8fcab01c7f7a6f63a05a
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains embedded JavaScript and a hidden HTML iframe, indicating an attempt to exploit vulnerabilities or redirect the user to malicious content. The embedded URLs point to external PHP and HTML files, likely serving as part of a multi-stage attack. The heuristics suggest the execution of JavaScript and the loading of external content, which are common techniques for delivering malware or phishing lures.

Heuristics 4

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://78.41.233.99/~fhv3/slidein.php
    • http://78.41.233.99/~fhv3/pub/iframepubns10.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00016e39.bin
cc762cf34885452c309f5137ddf31088fe95327dd2f08ef242ea93dfdd8baf81		 pdf-embedded-script PDF decompressed stream script payload at offset 0x16E39 93981 bytes
font_00_sfnt_off0001272e.bin
889c7198a2bf6aaef2e65c6fc3c2e653d365bbc5175cb351bfa29e9e127ee8ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1272E 24248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.