Malicious PDF — malware analysis report

Static analysis result for SHA-256 3086e863db9bddaa…

MALICIOUS

PDF

3.32 MB Created: 2010-01-12 15:29:39 -05:00 Authoring application: Acrobat PDFMaker 7.0.7 for Word (via Acrobat Distiller 7.0.5 (Windows))
MD5: e66f5c05b0ca2f1c33a6a666e8e574d2 SHA-1: dbb80c6637f1fc7e9500c4c6c5133428682a90a1 SHA-256: 3086e863db9bddaa7bb4a14f2d6ad69a2614621df41e52f77757391b597bd68b
220 Risk Score

Malware Insights

MITRE ATT&CK
T1553 Subvert Trust Controls T1059 Command and Scripting Interpreter

The PDF contains embedded JavaScript and exhibits characteristics related to CVE-2018-4990, suggesting an exploit attempt. High-severity heuristics indicate the document is designed as an advance-fee scam, specifically requesting recovery secrets or private keys from the user. The presence of embedded files and unusual stream counts further support a malicious intent, likely to download and execute additional payloads or facilitate credential theft.

Heuristics 10

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://localhost:8080/sip/nominate/form.do
    • http://www.springframework.org/schema/context/
    • http://www.springframework.org/schema/security
    • http://localhost:8080/sip07/main/articles.xml
    • http://www.springframework.org/schema/aop
    • http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
    • http://www.feedvalidator.org/
    • http://www.feedicons.com/
    • http://www.easymock.org/
    • http://valums.com/ajax-upload/
    • http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    • http://jira.springframework.org/browse/IDE-1103
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.manning.com/
    • http://recaptcha.net/
    • http://jcaptcha.sourceforge.net/
    • http://jackrabbit.apache.org/
    • http://jcp.org/en/jsr/detail?id=170
    • http://htmlcleaner.sourceforge.net/
    • http://www.junit.org/
    • http://java.sun.com/docs/books/jls/third_edition/html/memory.html#17.7
    • http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Press_Quality2.joboptions
de637e93f46e8bcb1762cff31575ec1c4335bca325e24ba3928936f51af84c3e		 pdf-embedded-file PDF EmbeddedFile object 1932 at offset 0x2FB830 15005 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 long base64-like blob(s).
icc_00_off00332b98.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x332B98 408 bytes
icc_01_off00332cbb.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x332CBB 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.