Malicious PDF — malware analysis report

Static analysis result for SHA-256 3163af672d288992…

MALICIOUS

PDF

106.6 KB Created: 2010-02-07 22:10:13 +01:00 Authoring application: LaTeX with hyperref package (via xdvipdfmx (0.6))
MD5: d99963946c6a02bb0bf2947ce4d0e56d SHA-1: 572db27266b29a6a2a700279d0efd7ff9f4ca594 SHA-256: 3163af672d288992fd7c75e1033b0a21f384ee70f10f3d9409a650e279734c6b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains an embedded script payload and a launch action, indicating an attempt to execute external code. The heuristic 'PDF_LAUNCH' directly points to this malicious behavior. The embedded script, though not fully detailed, is flagged as suspicious and likely contributes to the execution of a second-stage payload. The URL http://www.foo.be/ is also flagged as external and potentially malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7395

Heuristics 5

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.foo.be/
    • http://www.gitorious.org/~adulau

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00019d56.bin
d58097012b1af309729b9ef82edc713686e4915cb4f6c594df9f040d79a2b795		 pdf-embedded-script PDF decompressed stream script payload at offset 0x19D56 109088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s).
font_00_cff_off0000e989.bin
09e18e495b68106a55aace3f441183e73b28de0f6fbcb0af0b76d08e38de00da		 pdf-font-stream PDF embedded font (cff) at offset 0xE989 15636 bytes
font_01_sfnt_off00012a07.bin
1bbf8d898c7de34b2ed1bfb68d2725a06e3c5e09957aee601794b4fe88adb9f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A07 13054 bytes
font_02_cff_off00015ec5.bin
81cd2ec160f0dbbfecf3a7282aa50fb69c8be6a3e42aa5a6d27c573cc7517a2e		 pdf-font-stream PDF embedded font (cff) at offset 0x15EC5 7529 bytes
font_03_cff_off00017f0f.bin
19f70b70255abac1a93513d95c8ae661c9f9d2f99400a22c24727869e919e5ad		 pdf-font-stream PDF embedded font (cff) at offset 0x17F0F 7369 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.