Malicious PDF — malware analysis report

Static analysis result for SHA-256 256767eb8d1aaf07…

MALICIOUS

PDF

752.6 KB Created: 2009-03-25 15:33:07 -04:00 Authoring application: Adobe Acrobat 8.0 Combine Files (via Adobe Acrobat 8.0)
MD5: 532e40ba7d94c4b7a6f3ade31fbcda81 SHA-1: b6e2a31feb9e429172c49e34631c4c332cbfc3e0 SHA-256: 256767eb8d1aaf07480d817ee0103cbebbdd93a03ccd90159a05f94a0bd38113
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and embedded files, with one embedded PDF child exhibiting suspicious static findings. A high-severity heuristic indicates a 'Browser extension / update installation lure,' suggesting social engineering to prompt the user to install a plugin or update. This is a common tactic for credential theft or malware delivery. No scripts were directly extracted or deobfuscated to provide further detail on payload execution.

Heuristics 11

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pmi.org/PDF/OPM3Handbook.pdf)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0007.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x10402 85 bytes
embedded_file_obj0008.bin
8313b0b6cf4ccf8d8f4d08d8239c0eecc8b346f8d0a2ac3b941d0e3fce5023b7		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x104B5 3255 bytes
embedded_file_obj0009.bin
f0c163576d8710e5ef80b0ed22cbd2bb17662f5c9fb5d862a63ed35b74c4ddc0		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x10966 25389 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
embedded_file_obj0010.bin
7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x11D04 214 bytes
embedded_file_obj0011.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x11DFF 2423 bytes
embedded_file_obj0012.bin
4707b0863d526baff0d4c0e4c941064d095f409fb10cf33dc743c077abdc678b		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x120E1 2087 bytes
embedded_file_obj0013.bin
b9892eb3317eb6d9f6cdb9a91aa82288daec7e6f91a41505b1799a8d10285cbe		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x1223F 799 bytes
embedded_file_obj0014.bin
b1b296d371e691ae903fc90e2f3bd69eeac3730137d7c7f5d9379aed02cb51d6		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x1244D 110 bytes
javascript_obj0149_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 149 at offset 0xBF9 1535 bytes
javascript_obj0150_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 150 at offset 0xDE5 870 bytes
javascript_obj0151_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 151 at offset 0xF40 2798 bytes
font_00_cff_off0000ef3f.bin
a9c85193681ee48fca472bff404852ba0a28d64c103b8dbc31ed7cbf01f3712c		 pdf-font-stream PDF embedded font (cff) at offset 0xEF3F 2402 bytes
font_01_cff_off0000fac1.bin
9de92a37c091d12910ec4a37a3ea8eb990d50fd05fc0d8e1720ea93e28f8e0e3		 pdf-font-stream PDF embedded font (cff) at offset 0xFAC1 858 bytes
2._Contact_Information.pdf
560244dc21b03aa9de39cdc7074b877578fe82a825cd2360e67e3dc49195e11d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x112D5 83366 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 long base64-like blob(s).
3._Education_and_PM_Experience.pdf
af2271596ba07e2c831145234eb9d2d48a743e74e920c6c31a126bc503c875ca		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1F959 54232 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
4._Assessing_and_Consulting_Experience.pdf
d82584ddbf849d8c63f7fb7c926b82210b3165bb88dffeb9c789a85dc8213b98		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x385DF 52042 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
5._OPM3_Knowledge_and_Experience.pdf
4dd7414ed83bbb7e23019ed86b8c72f54ccdcc22859c4d2fcbd2abe765339fd8		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x50B44 111832 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
7._Fax_Covers_Sheet.pdf
bd67ce011c52a3d0b799ce7ce8fc2c073205ce761423bf09b82770212f88174d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x8CEC1 72592 bytes
javascript_obj0038_000.js
736c69993d4cd953676f5971bd943955c344f3001c77f281afd5d8df5a456b51		 pdf-javascript-stream PDF /JS object 38 at offset 0x6AD 1379 bytes
stream_015_off00068c7c.bin
44a75febaaaaa07ba399ce381361ead12c453742b144277fc335d0c0e293648b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x68C7C 64259 bytes
icc_00_off00002144.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2144 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.