Malicious PDF — malware analysis report

Static analysis result for SHA-256 279ec485df3ea779…

MALICIOUS

PDF

91.5 KB Created: 2011-04-25 22:48:14 +08:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 20c829f5e903911ea67232213cb6c0a0 SHA-1: 7ff2489beb0c88c0734d21d4e608b40ecabf1f24 SHA-256: 279ec485df3ea7794ebb4695c537c73cd4cd442f98a57e955ffd1a17d71043e0
144 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File

The PDF was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded rich media (Flash) and a secondary embedded PDF, both of which are common vectors for exploit delivery. The document body is unreadable, providing no direct clues to the lure, but the presence of embedded objects and the high ML score strongly suggest an exploit attempt or payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9931

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0026_00.bin
a857974669b840d75523cf076c96d626e5e0fa5284200c320ba77d68058c256a		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1061 bytes
polyglot_child_pdf_off00014167.pdf
195003a636cc7e936168fc04df74b7bfbcb9e0d345b62b65dfb3224299e3fbc3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x14167 11434 bytes
polyglot_child_pdf_off00015624.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x15624 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.