Malicious PDF — malware analysis report

Static analysis result for SHA-256 2550815446e7440b…

MALICIOUS

PDF

244.1 KB Created: 2011-04-25 22:48:14 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: 1188ea8f0d086a8860a3aafb54a3fa76 SHA-1: 9ea44121c104e7d5c979fabe6d518842e0437c8a SHA-256: 2550815446e7440b3f62cc863610035d8afe3435cb28393e7694e53b2693bfe4
224 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

This PDF file was flagged by multiple high-severity heuristics, including ML classification and ClamAV detection, indicating it contains malicious content. The presence of embedded JavaScript and RichMedia (Flash) suggests an attempt to exploit vulnerabilities. The ClamAV detection name 'Pdf.Exploit.Agent-30341' strongly points towards an exploit targeting PDF viewers. The embedded artifacts and suspicious structure further support the conclusion that this file is designed to deliver a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 9

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-30341 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-30341
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2bbe69c5e9b01e09ead01d39980623115955d79663f86ee38c3e26d62468aede		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x380F 163 bytes
embedded_file_obj0002.bin
2db2fcfa6c7f0b58af35cd0b7a546eab3e22594fa9e6a322d8448248c1371742		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x38FF 1683 bytes
embedded_file_obj0003.bin
6824595d40fe37ff3a17665623abb424df29f2bf3924106e83b1192a2fc6fa0d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3C21 784 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3E15 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x3EE6 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4260 200 bytes
embedded_file_obj0007.bin
41b90835819d2fc9adfbed1f624b97daf557be436627d29ad24fdfcbedc74198		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4353 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x452B 56 bytes
stream_002_off000003d6.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D6 1363 bytes
stream_003_off000005b3.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B3 902 bytes
objstm_0041_00.bin
cc0d110077f81314ac59a491675430d25faa86bdc2526ed35971cf361ac83464		 pdf-objstm-decoded PDF /ObjStm 41 0 obj (inflated) 1575 bytes
font_00_sfnt_off0000da83.bin
9a32db0e183cdf782b81066418fef75971086fe2d679e0636228d3ed6db9c099		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA83 238412 bytes
font_01_sfnt_off0001b661.bin
159eb0a8f39a74b7d24bc1abe870d4a12266aec0d1466cf158cfc69f58ec81d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B661 21316 bytes
polyglot_child_pdf_off0000c71d.pdf
5adb91536fc18f28acf2baad7de1f03b1133a19c2db94db648475e21e435c451		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC71D 198940 bytes
polyglot_child_pdf_off0003b84c.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3B84C 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.