Malicious PDF — malware analysis report

Static analysis result for SHA-256 23107f24cae91963…

MALICIOUS

PDF

2.43 MB Created: 2020-07-06 09:34:21 -07:00 Authoring application: Writer (via LibreOffice 6.4) First seen: 2022-07-15
MD5: 7ea191e6d3ec1002c06428d08248e5c0 SHA-1: 612685f8df4fb54612945b8792d86483aac5a023 SHA-256: 23107f24cae919634c6247baca34fdb464e2ab1adc4acf5fce7ef6642cc5537e
324 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The PDF exhibits multiple critical heuristic firings indicating the presence of embedded executable payloads and a ZIP archive. It also contains a secondary embedded PDF with suspicious findings and an embedded Office document with an executable. These findings strongly suggest the PDF is designed to deliver and execute malware.

Machine Learning

  • Nyx PDF Classifier clean score 0.1061

Heuristics 9

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PDF with appended ZIP archive high POLYGLOT_PDF_ZIP_APPENDED
    A ZIP local-file header was found AFTER the last %%EOF in this PDF — a polyglot pattern where the same bytes are a valid PDF for a PDF reader and a valid ZIP for an archive parser.
  • Corrupt or invalid ZIP archive medium ARCHIVE_CORRUPT
    The file appears to be a ZIP archive but could not be opened. It may be corrupt or deliberately malformed.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_00008ccc.exe
5d5a9fb1f248eb201279f4324ffbfd5fdc6b10d9d60d75f73fa9a8c32cd6a738		 embedded-pe PDF decompressed stream PE payload at offset 0x8CCC 2507310 bytes
polyglot_child_pdf_off00003c4c.pdf
488ec40769e020cf9b94312ade4a97086eab3795d8c16b3752599ac52d018d65		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3C4C 2527952 bytes
embedded_pdf_00003c4a.exe
07a634476b6c05db3e5f22b302eb5a459130c1756f5b2715ed8dc7bab1d46dfe		 embedded-pe PDF decompressed stream PE payload at offset 0x3C4A 2305004 bytes
polyglot_child_pdf_off000366d0.pdf
7d39dadf820b2c52dc2a2acb3f9247d0bc233cfeb489ee6be282f6212fd92715		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x366D0 2320460 bytes
embedded_office_0003d968.exe
71e211bd32274e04a0f90b4537407ef8ee0458141f89adf8ef510d5007d436a0		 embedded-pe Office MZ+PE at offset 0x3D968 1163776 bytes
embedded_office_off001133b4.ole
7329408652e48bb13b2704d0fa18193d4abcc07a905a5927fa3da1cdecd79565		 embedded-office Embedded OLE/CFB Office body inside pdf container at offset 0x1133B4 1416040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.