Malicious PDF — malware analysis report

Static analysis result for SHA-256 23d7daec67e54575…

MALICIOUS

PDF

172.3 KB Created: 2008-11-06 16:24:49 -05:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: b7719608a3d1b023f4a844ae4e57f51c SHA-1: ba44259189d74b00d9dc57b48db9b6a2cc7cd270 SHA-256: 23d7daec67e5457511e3a5089b59ef38a43019f3561e435d655ee746c43c29a0
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and XFA forms, with a high-confidence 'OpenAction' trigger indicating automatic execution upon opening. Heuristics suggest a fake invoice or payment lure, and a callback phishing lure, consistent with social engineering tactics. The embedded JavaScript streams likely contain malicious code designed to exploit vulnerabilities or download further payloads, though their exact function is obscured by obfuscation. The presence of embedded files and JavaScript actions points towards a multi-stage attack.

Heuristics 10

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0075.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 75 at offset 0x27587 85 bytes
embedded_file_obj0081.bin
448e6df3d602b90ad0892c3d3ebe9edbb2a3ee02629680d23d58707bcc9e8783		 pdf-embedded-file PDF EmbeddedFile object 81 at offset 0x297E8 916 bytes
javascript_obj0096_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 96 at offset 0x1AB6 1535 bytes
javascript_obj0097_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 97 at offset 0x1CA1 870 bytes
javascript_obj0098_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 98 at offset 0x1DFB 2798 bytes
stream_058_off0001d497.bin
1f6bb881442706239ed0be11f6c22662999ec5e763bd66edcdbbc1777a5407da		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D497 11268 bytes
stream_066_off00027627.js
4f648584e2232126a585aa4031036cdd0eda1cda6272098b73e937048b724f89		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27627 3291 bytes
stream_067_off00027ad7.js
68f28970008e15bece1669244ec4f9a448451116b7b27bc93eb5d9973fd9e6ce		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27AD7 44484 bytes
stream_068_off00028ebf.bin
6cd705a2ad9a471437f90754fcae9f03cf551b9ffea60f48c345c2aea632216c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28EBF 6005 bytes
stream_069_off0002941f.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2941F 2423 bytes
icc_00_off00013254.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x13254 3144 bytes
font_00_sfnt_off000226d9.bin
ee2238379926979acca800f457614aeb7dc22a2af87a3b2f2854af89e5ab026f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x226D9 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.