PDF malware analysis — malicious · 22a68539f8b82cf4

MALICIOUS

PDF

1.03 MB Created: 2010-04-27 09:39:06 +02:00 Authoring application: Adobe LiveCycle Forms 8.2

MD5: cd9378d70f93eb4b0940e5b368c23067 SHA-1: c209bbb93852262a39cff2d859f2bd4cc7d7a9e8 SHA-256: 22a68539f8b82cf4faba19bfc13041da0ed39ce7b4f677b1bb61f9bcc24a9ae8

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and an unusually high number of streams, indicating obfuscation and potential exploit code. ClamAV detected this as Pdf.Exploit.Agent-24274. The embedded JavaScript likely attempts to download and execute a second-stage payload from one of the unknown-reputation URLs. The presence of an embedded file, 'embedded_file_obj0013.bin', further suggests the file is a dropper.

Heuristics 9

ClamAV: Pdf.Exploit.Agent-24274 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-24274
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://himpilot.rz.dvg.sko.de:53248/PdfPlusxUnterbrechen/UnterbrechenSpeichernServlet
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxArchiv/PrintarchivServlet
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxFormReset/FormularResetServlet
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxUnterbrechen/UnterbrechenSpeichernServlet)/ZID(127235406647543816909101)/NameInSigField(TRUE)/Institutsnummer(302)/UA_CHANNEL(2W7lRqb7PVMdRw/Mdq1bzfOLrrp9D7nB)/UA_PORT(TJBOxIR7UIE=)/Context(HimFDL)/UA_DOCUMENTS(u3fJDuTdvsES2u0SUHdhH+DxAUPq2sAPiOXC/yJg5O4h5EtPe4NqFFQcyRWcM7OJOifxPEie1G1Zfb18cbLwnA==)/Bemerkung(TRUE)/UA_QUEUEMANAGER(Q5kEztgSM5JylowJvtHvpg==)/ArchivURL(https://himpilot.rz.dvg.sko.de:53248/PdfPlusxArchiv/PrintarchivServlet)/DocumentMessage(zCY0U5+Y4/JkajgOZjT98LUEE+7RhqFIiwb4D4NiKW/a+sLjqRmBqjvhFTqa8V39QhK89jdmqNkkV9Ex1b5+6Yg1b5vdV5pcyCiSHtsH58rhvsFqxDZuV7Yh0cCQhmpK2MuI6yKrVsmTJqHcHwIepaugnX3VkI3WKLR8DvEYe3dqSgygIiGHHLM3k/46bo2nb+YyXiPrwVJJgwvvZQSet1UJTk/i+xb0bjnVSErBfqrcsxlddPRjhFfa0jQTZYqeZP6A0q7nq/3/J4FbNJswuboWjKbX9MgwxnLReCOd2nrNEKMvOgUPE7ZCtNhnvWY/1DM5frO5/TFZRA34kAzIWFfZt+3C2bORFLbeWbsw54hoklxG4dzLs3D8GLLsne1j5ksTL2MElFn91dh4NuGGNMURk5BAjI92ODTKV5gKqt4DVM9Pjniiq+O2vAVTHjzMMrR1368U0JCyEkXtyoyHuqSUil15cviXNmWDO98dsMs57tme4SuwEDiJE1rrRquv76mgAFwUgiP0S9z/tzh4iGTjThydZ78FbdnSrVnTSC3V0Y64XF34Nr1F++wLk4E/2Z11/lcG7H3apLiyv0T8PwnnLC8jTckGTQvhwCOX4guztnhrsYpafQFM01LNcCRmiGooY6JZTuy/3lKdsfdbUldpQQ0G+S+pHZvUss53BtOpqq96yavNieWARWnUAI7DGS3Ybk0/8jEMkK9xgz75+rK9WuAGjgCrqk8kJl+ehRtrrLo1B3Ci96SsD1BW8URYhzQsSA2h8Da/0Fy1TdSQ8fNNZfnZDEtU3azw/0BKXv3DDJiR3FwJhmU/HV1/BSJkD8ykthhOBLJ/evQwUagKOfOkXViO5feulrDo5+F/USvR/vpLu0XJOLPA+R9lB0IrWwz6NRxZr/hn52QOlWUxiVZrt742h8jUx5E5oS2P3CpIjnm73JYziQl4/m9lFpcWLxB/uGT0XJloqq6bQBQWXp6UzrVPncbOUxu+/PVE8ZVay1JYUEw1kNW9hrZlgc8H5HTPpW92iIRE1t+W6+DmoBsWLgkalIj8s894wLOZjFFsi2KHactZhbrkT1/H/iZRTK+jeeJiZ1zKg3+Z0D2u//LIH9KYIm92apnw4qSbZHlcLRQ216CHeVNlWgIk/TTvINpDTWLxQenhQ0RNNLIIYnAAkLWH0dRE24j6102Msbviw0NjNI7U7MItLaQVvxnNX2R2/xvF1cI/+XCZF0iiQQSp1LkuvPhz9CBS/5oCEhXZGWcaJ6EhfrRKc3uQ9DfwQq1eQ1IVmeRmPmVTSW3xfM0ktZwQPC+N/iPc3467vG1u6kZW1U+NqaOZEbpnlEUN5lKMGR45UC2YLQA8KW1SjcdgUppIZiiTWnGWii0aSnPuVc7v0wXDm5r4QQdRE0Lr90PyE6SKaYaVAyJvzyIQQcL7m4DwRRCZKM+1YIK4aGzpccgrp+XJNBfpx+7GisdG8794cH3eeoKZ8kn5aOoR1JHeCWnjmZ4HMVmIGopqntjML0yE8/6h5461SlWsGXOr5uwc7VUDL3eGaofPIC
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxFormReset/FormularResetServlet)/archived(FALSE)/resetVersion
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxUnterbrechen/UnterbrechenSpeichernServlet)/Producer(Adobe
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxFormReset/FormularResetServlet)/UA_CHANNEL(2W7lRqb7PVMdRw/Mdq1bzfOLrrp9D7nB)/UA_DOCUMENTS(u3fJDuTdvsES2u0SUHdhH+DxAUPq2sAPiOXC/yJg5O4h5EtPe4NqFFQcyRWcM7OJOifxPEie1G1Zfb18cbLwnA==)/ModDate(D:20100427094816+02
- https://himpilot.rz.dvg.sko.de:53248/PdfPlusxArchiv/PrintarchivServlet)/Person(Martin
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xfa/promoted-desc/
- http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0011.bin` `f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1`	pdf-embedded-file	PDF EmbeddedFile object 11 at offset 0x54D44	86 bytes
`embedded_file_obj0012.bin` `1f7978028a7598db6e0754f2bfa52473913e10f242b583ca724a9c7077bd6921`	pdf-embedded-file	PDF EmbeddedFile object 12 at offset 0x54DF8	9457 bytes
`embedded_file_obj0013.bin` `51b657483d4e090f41820d1edab113f2e1232aaad1e8c0f0073906f98e8025e1`	pdf-embedded-file	PDF EmbeddedFile object 13 at offset 0x5583D	451696 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`embedded_file_obj0014.bin` `61447dbbc989a39ecaba700abb4b54c8c0f32c389d71503dd24d979c3a75456e`	pdf-embedded-file	PDF EmbeddedFile object 14 at offset 0x61295	2415 bytes
`embedded_file_obj0015.bin` `cc53458bef25ef07a3680673a0d87f8b337cc47094acc2b22ef1e338fc848b31`	pdf-embedded-file	PDF EmbeddedFile object 15 at offset 0x61585	18944 bytes
`embedded_file_obj0016.bin` `1b12193a7c7226bef09874bfb3ba448a445fcbb3f7168314c11ea5b811722079`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0x62267	16314 bytes
`embedded_file_obj2270.bin` `e988ff66cb4b8a4ee9f22b017f5a5fbd31879014c2b0ac53f3cbea055523cb79`	pdf-embedded-file	PDF EmbeddedFile object 2270 at offset 0x100415	20236 bytes
`embedded_file_obj2271.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 2271 at offset 0x1011DC	85 bytes
`embedded_file_obj2272.bin` `a24ec3587f50186e47fed0641f157f6380240e9ab7132c9e0a136b6cc86db656`	pdf-embedded-file	PDF EmbeddedFile object 2272 at offset 0x101292	20332 bytes
`javascript_obj1437_000.js` `826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f`	pdf-javascript-stream	PDF /JS object 1437 at offset 0x54A36	2795 bytes
`javascript_obj1438_001.js` `4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb`	pdf-javascript-stream	PDF /JS object 1438 at offset 0x548DB	870 bytes
`javascript_obj1439_002.js` `b3c067346d960c54829f3bee5e0537a180506d2366c4d87ed7c777b850e7c9a2`	pdf-javascript-stream	PDF /JS object 1439 at offset 0x546EF	1532 bytes
`font_00_cff_off0005407d.bin` `b6597fa24f8482c585b3c429ff4401500292d74cf3815ef59483edb52125dc33`	pdf-font-stream	PDF embedded font (cff) at offset 0x5407D	1501 bytes
`font_01_type1_off001001d9.bin` `d3b4a3f71aeaaece402e66179568904fc043a6d6ade57087d5188a4f94983ed4`	pdf-font-stream	PDF embedded font (type1) at offset 0x1001D9	58 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.