Malicious PDF — malware analysis report

Static analysis result for SHA-256 29d24de938a8d326…

MALICIOUS

PDF

946.7 KB Created: 2010-06-11 23:23:27 +08:00
MD5: cbbd088138a1dfe43a0ac2f5d08f77bc SHA-1: 5d5a901a38dcb6ba08e91936d137440f6ca5892e SHA-256: 29d24de938a8d3262df539ef901bbcd50cb3bf32900d0355fd988d8afbc97982
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and a rich media object, indicating an attempt to exploit vulnerabilities. The presence of embedded files, particularly 'embedded_file_obj0003.bin', suggests it may contain or be related to the payload. The PDF's structure and heuristics point towards a malicious document designed to execute code, likely for downloading further stages.

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
e405650d4ac92f5d47e585a337bd79a9a50dd76330cdb18692dcecff6596f2ff		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x1293 163 bytes
embedded_file_obj0002.bin
9f71924d3a4a7f2af4b395c8c7b67019dd7e7dd934e3d0d6b494a5b381409a40		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1384 1590 bytes
embedded_file_obj0003.bin
177b2fc50ec490fd5fb84b3903495957db47c0300b5d544fb80c9dac46ec11e8		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167E 4685 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EB5 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FA3 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x231D 200 bytes
embedded_file_obj0007.bin
4f314214dac46fadf84f817c59256b3dc06f17a651fa21d3e6824e2f7fe0db56		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2410 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25E9 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
846810dcc7a8789df1cfb48c038d06af1eadfa8ce2aeafffc8856a14cf082307		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1809 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.