Malicious PDF — malware analysis report

Static analysis result for SHA-256 2718a937b202c346…

MALICIOUS

PDF

946.7 KB Created: 2010-06-11 23:23:27 +08:00
MD5: f36f2154cb056645e2a2541bf30fa715 SHA-1: 5f57731966571a30af1d536b291b10cebfa630c8 SHA-256: 2718a937b202c34675c3e265da0153419bbc9b2d16ff83d547fd27803d286872
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and RichMedia (Flash) content, strongly indicating an attempt to exploit vulnerabilities. The ML classifier also flagged this PDF as malicious with high confidence. The presence of embedded files and JavaScript suggests a downloader or exploit delivery mechanism. The benign URLs found are likely standard PDF metadata namespaces and do not indicate malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9943

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
e405650d4ac92f5d47e585a337bd79a9a50dd76330cdb18692dcecff6596f2ff		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x1293 163 bytes
embedded_file_obj0002.bin
9f71924d3a4a7f2af4b395c8c7b67019dd7e7dd934e3d0d6b494a5b381409a40		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1384 1590 bytes
embedded_file_obj0003.bin
177b2fc50ec490fd5fb84b3903495957db47c0300b5d544fb80c9dac46ec11e8		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167E 4685 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EB5 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FA3 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x231D 200 bytes
embedded_file_obj0007.bin
4f314214dac46fadf84f817c59256b3dc06f17a651fa21d3e6824e2f7fe0db56		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2410 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25E9 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
846810dcc7a8789df1cfb48c038d06af1eadfa8ce2aeafffc8856a14cf082307		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1809 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.