Malicious PDF — malware analysis report

Static analysis result for SHA-256 300103e47bd219c4…

MALICIOUS

PDF

678.8 KB Created: 2010-04-13 15:11:33 +01:00 Authoring application: pdftk 1.41 - www.pdftk.com (via itext-paulo-155 (itextpdf.sf.net-lowagie.com))
MD5: 60eefe387fd769db60641c511be1a839 SHA-1: 35aca54252b683e43ed6d782c5da3cc89f80f9ed SHA-256: 300103e47bd219c41db6c54480130a7ff4af34db8ce1e2864ffdd9a1c9d49ffd
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript and leverages a U3D/3D content vulnerability (CVE-family indicator) in Adobe Reader. The embedded JavaScript is likely used to download and execute a second-stage payload. Several external URIs were extracted, with http://www.cacetech.com/ being the most frequently referenced and having an unknown reputation.

Heuristics 6

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cacetech.com/
    • http://www.wi-fiplanet.com/tutorials/article.php/1447501
    • http://netbsd.gw.com/cgi-bin/man-cgi?ieee80211_radiotap+9+NetBSD-current
    • http://www.cacetech.com/support/downloads.htm
    • http://www.aircrack-ng.org/
    • http://www.oxid.it/cain.html
    • http://www.wiresharku.com/
    • http://www.winpcap.org/devel.htm
    • http://www.winpcap.org/contact.htm
    • http://standards.ieee.org/getieee802/802.11.html
    • http://technet2.microsoft.com/WindowsServer/en/library/370b019f-711f-4d5a-8b1e-4289db0bcafd1033.mspx?mfr=true
    • http://www.wireshark.org/tools/wpa-psk.html
    • http://www.wireshark.org/docs/
    • http://wiki.wireshark.org/
    • http://www.wireshark.org/lists/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0279_000.js
53ef3e86395c29047481d41061937b32759780f8b45be9739a0a576f50df45b1		 pdf-javascript-stream PDF /JS object 279 at offset 0xA80CF 58 bytes
font_00_sfnt_off000095e2.bin
3728a5aebee02754b48cc7c833a7dfd2c1643eeea58671c2b05dd4425a81e80b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95E2 84640 bytes
font_01_sfnt_off0000ea7e.bin
50a8af41ddd97b9d5e20669845738f9de1de6267192fe2c17eb152c0ecd1443e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA7E 36196 bytes
font_02_sfnt_off0001d41d.bin
6ba9731d6c154e83c45b54a57d6756e51f08bbe979d986c1dfc6d9a68c93e319		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D41D 95036 bytes
font_03_sfnt_off0002e95a.bin
5ee6023599431d8a3bf65ba2502e507a9f4930f2b79d6c892d94812be7e501fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E95A 116728 bytes
u3d_00_off000a7f23.bin
bd2530871157199c20c44d2549da670059332e38e61c5ce3e612b2cf973bed1d		 pdf-3d-stream PDF U3D 3D stream at offset 0xA7F23 292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.