PDF malware analysis — malicious · 21264fb343d7cfda

MALICIOUS

PDF

193.4 KB Created: 2013-11-20 13:24:26 -06:00 Authoring application: QuickLinQs 5.0 (via PDFlib+PDI 6.0.3 (.NET/Win32))

MD5: 99421d85560eb21fed31345956d691ba SHA-1: 8071be84f21a80eeeb5b5fc12fda1e920834ccb7 SHA-256: 21264fb343d7cfda2aba80ab981a60915f2602bb894d06740ba736ea7ef96b1a

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of an AcroForm button with an action trigger further suggests user interaction is intended to initiate malicious activity. The embedded JavaScript streams are likely responsible for downloading and executing a second-stage payload, as is common in PDF-based malware delivery. While specific URLs are present, their reputation is unknown, and the document body is unreadable, limiting further analysis of the lure. The primary attack vector appears to be the execution of embedded JavaScript.

Machine Learning

Nyx PDF Classifier clean score 0.2412

Heuristics 6

Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.innocalsolutions.com/default.asp?referred_id=
- http://www.masterflex.com/index.asp?referred_id=
- http://www.4oakton.com/?referred_id=
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://www.coleparmer.com/home.aspx?referred_id=
- http://www.coleparmer.com/Product/

Extracted artifacts 15

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0191_000.js` `5013ae210f185f324444c5503254a24d134aa01a19a7935beea1e8070519917c`	pdf-javascript-stream	PDF /JS object 191 at offset 0x27DAD	81 bytes
`javascript_obj0192_001.js` `9921773e6c2168b7f46a7177892b4345297532400ef9a5a345d320ccb5ff0fbe`	pdf-javascript-stream	PDF /JS object 192 at offset 0x27E35	64 bytes
`javascript_obj0299_038.js` `8338c801658f43fb545ef332c71eb263e64caec277762e2c018221219e63553e`	pdf-javascript-stream	PDF /JS object 299 at offset 0x2D6AC	2346 bytes
`icc_00_off00006b6b.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x6B6B	3144 bytes
`font_00_cff_off00010e71.bin` `e296532701b653ead1694ef0a721d9fdf2911dd2db9b82117a4400f5e2625c2b`	pdf-font-stream	PDF embedded font (cff) at offset 0x10E71	4626 bytes
`font_01_cff_off00012783.bin` `c5b76540ff31767923a0d9fdc811cd38ead4e133132527640eb1c7ab91fdf2b9`	pdf-font-stream	PDF embedded font (cff) at offset 0x12783	9496 bytes
`font_02_cff_off0001509e.bin` `4e6caeebf509b7b35b8fd18c36727647ba60bc7b797facb5190518ab339e49c3`	pdf-font-stream	PDF embedded font (cff) at offset 0x1509E	8666 bytes
`font_03_cff_off0001757a.bin` `336cab85ea3fb0efb583475c4965f513c2b2a0534a612230c8e61251fe6d0b22`	pdf-font-stream	PDF embedded font (cff) at offset 0x1757A	9214 bytes
`font_04_cff_off000197e7.bin` `dc597062884ecc4a4271cd62a7e9029bd226db288e97e6b99923e7fee4ac052d`	pdf-font-stream	PDF embedded font (cff) at offset 0x197E7	785 bytes
`font_05_cff_off0001a2e6.bin` `830c8efa2f93531c6cfccc4dc69fee187feca544e6cdff9a4521ece8c1e48941`	pdf-font-stream	PDF embedded font (cff) at offset 0x1A2E6	6937 bytes
`font_06_cff_off0001c0a6.bin` `1665fe36efc0f2450e4072f7ee223de11d6233269eb86e4523e6580ad0df4bb8`	pdf-font-stream	PDF embedded font (cff) at offset 0x1C0A6	7855 bytes
`font_07_cff_off0001dd16.bin` `87b37f1d9b5185b114a9f0d2a4fafffd14bc0068af89fe5fd5c78a645c2d2a2a`	pdf-font-stream	PDF embedded font (cff) at offset 0x1DD16	1592 bytes
`font_08_cff_off0001e79c.bin` `c948611ec947d00393d1aef47d4b4bd792ec082300254d13594b08419aadda05`	pdf-font-stream	PDF embedded font (cff) at offset 0x1E79C	4697 bytes
`font_09_cff_off0001fc86.bin` `8fe8c2fe5a50d372642529c1ad7af7eec139d3d32357e08e853f9391cbfdd54c`	pdf-font-stream	PDF embedded font (cff) at offset 0x1FC86	8176 bytes
`polyglot_child_pdf_off00000009.pdf` `7bc58630eb99c02fc6063315fa434186e6d6d62c7505b6f46f863e1af786ebf9`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x9	197984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.