Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f46751a9edf172f…

MALICIOUS

PDF

246.6 KB Created: 2010-03-24 17:01:04 -06:00 Authoring application: Writer (via iSEDQuickPDF 5.11 (www.sedtech.com))
MD5: fd0461e8557a0fe4df218196d064d18b SHA-1: 75014e0f5f5825a9cf1acc4d74da234c1f6551ae SHA-256: 2f46751a9edf172f472b13f93070fb513e4aac201260c08e02b8eedb734b679c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The PDF file contains embedded JavaScript and is configured with an OpenAction trigger, indicating it's designed to execute code upon opening. The presence of a callback lure suggests a phishing or tech-support scam attempt. The JavaScript streams are likely responsible for downloading and executing a secondary payload, though their exact functionality is obscured by obfuscation. The benign URLs extracted do not provide further indicators.

Heuristics 7

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
009995ee95e939a659f17dce536cdc5621fc6deb4a017fa64d5322f23e9b9b2d		 pdf-javascript-stream PDF /JS object 25 at offset 0x197 6007 bytes
javascript_obj0065_001.js
3bff2e7518bafb97ae5737d3225f1b75fc04ca175a4b7b80139fa604d9576621		 pdf-javascript-stream PDF /JS object 65 at offset 0x142F9 126 bytes
javascript_obj0066_002.js
d4620f680c6ec564ad9a41bdd4ab582fd8cf856bf1341dc2814d1f146b837d49		 pdf-javascript-stream PDF /JS object 66 at offset 0x143B3 128 bytes
javascript_obj0067_003.js
8ab6cb9efa161b5ec98e37c880b3badeadfbb379652796b50545e995e89724b5		 pdf-javascript-stream PDF /JS object 67 at offset 0x14471 126 bytes
javascript_obj0072_004.js
497919cc79728056ba88bb77c62473be372590d388e8df3bab23675430841bae		 pdf-javascript-stream PDF /JS object 72 at offset 0x1834C 59 bytes
javascript_obj0247_005.js
5c69d88fc2b105ffa71198bd2a533dc7e896c6514747d59edbe540813d28e823		 pdf-javascript-stream PDF /JS object 247 at offset 0x25290 5084 bytes
javascript_obj0487_006.js
87386bf1c69bb928a4dcbe4c96afa42e0c0e38c72b74e3755500beddfeed080e		 pdf-javascript-stream PDF /JS object 487 at offset 0x39AF4 6031 bytes
javascript_obj0062_007.js
1d7770c88d5255830cf774bd5eead250b6f618459ab960935dfc873878d4b856		 pdf-javascript-stream PDF /JS object 62 at offset 0x14031 946 bytes
javascript_obj0064_008.js
89b52649eab1a0a087b554928e31ae7d2374b31749be8a4fb499d884471f5726		 pdf-javascript-stream PDF /JS object 64 at offset 0x141E9 1386 bytes
icc_00_off00031321.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x31321 3144 bytes
font_00_sfnt_off00006542.bin
caf25ee251f3d243a323988fe14ee3104e18cfb883d9cbae00f7aff118b35416		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6542 60348 bytes
font_01_sfnt_off0000ffb3.bin
e62e357cd5cb6c5f574a8af46a5344b009bd429922a0844f0ee622d70f208d7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFB3 20236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.