PDF malware analysis — malicious · 218c7ba1ec65c273

MALICIOUS

PDF

44.0 KB Created: 2010-03-03 03:42:28 +08:00

MD5: b571f218d07d7a2823a1c9a75b599645 SHA-1: fc4ef70f679594af5677a70f5033bdb93a54d8af SHA-256: 218c7ba1ec65c273a9dead960d02e498160f631d842385c56107f7ded70abf46

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits characteristics of a phishing lure, including an image-only document with a click-outward action and a small file size. Embedded JavaScript streams and embedded files suggest the document is designed to execute malicious code or download further payloads. The presence of JavaScript actions and embedded scripts indicates an attempt to exploit vulnerabilities or deliver malware upon user interaction.

Heuristics 7

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 44 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0002.bin` `52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0xFC8	1465 bytes
`embedded_file_obj0003.bin` `75b1b32ce086dcfb46ad5ad812bcac90dbc30017591e95d16cc14e8406c61fbf`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x1283	986 bytes
`embedded_file_obj0005.bin` `226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x14D1	2928 bytes
`embedded_file_obj0006.bin` `4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x183E	200 bytes
`embedded_file_obj0007.bin` `1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x1931	835 bytes
`javascript_obj0092_000.js` `97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61`	pdf-javascript-stream	PDF /JS object 92 at offset 0x323A	1946 bytes
`stream_012_off000029ca.js` `f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x29CA	1532 bytes
`stream_013_off00002bb5.js` `4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2BB5	870 bytes
`objstm_0126_00.bin` `ba08ce675f5a4edd23a5e7004fab9b39cd9f4a22a78e3315f0f79ca8628e5b98`	pdf-objstm-decoded	PDF /ObjStm 126 0 obj (inflated)	1974 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.