Malicious PDF — malware analysis report

Static analysis result for SHA-256 338d4953a949f045…

MALICIOUS

PDF

157.5 KB Created: 2010-06-16 09:54:20 +02:00 Authoring application: Adobe InDesign CS3 (5.0.4) (via Adobe PDF Library 8.0)
MD5: 4136d3b0e00e2698f5f9bf82e8015a5c SHA-1: 2a3edfc60051cbfe1872dd7679d25db6430da0e6 SHA-256: 338d4953a949f0458147eb864695ef1b80cab8a700e2a1550a945c5149a90771
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams and an embedded script payload, indicating a malicious intent to execute code. The presence of XFA forms and JavaScript actions further supports this. The primary function appears to be downloading and executing a second-stage payload from the embedded scripts.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/xap/1.0/g/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0012.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x1A00B 85 bytes
embedded_file_obj0018.bin
52b1206af7195349900d96c5364b796150a3600d65563da9c72ae5b8ea5389dc		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x21DA1 103 bytes
javascript_obj0035_000.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 pdf-javascript-stream PDF /JS object 35 at offset 0x3830 1604 bytes
javascript_obj0036_001.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 36 at offset 0x3A18 902 bytes
javascript_obj0037_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 37 at offset 0x3B82 2798 bytes
embedded_pdf_script_0001a894.bin
2a305563b6b2c02ce56e644aa21f872186accced1c8ef9280f32ec07012432ee		 pdf-embedded-script PDF raw stream script payload at offset 0x1A894 3122 bytes
icc_00_off0000ae93.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xAE93 3144 bytes
font_00_cff_off00004954.bin
343a8a5c2595f43d6d6eec1922ef02f7e59c9d5561b44ba587e0cdcc7740d063		 pdf-font-stream PDF embedded font (cff) at offset 0x4954 1647 bytes
font_01_cff_off0000b9ca.bin
4c33cab7e3e4147f820f591729c227dc4768883533e0034df3b5b330f8c5a2d1		 pdf-font-stream PDF embedded font (cff) at offset 0xB9CA 3874 bytes
font_02_cff_off0000ca5d.bin
350d8cd5f27bb845728c31f1afe81ee45517e1f275e5d9c2ac2070cb7f84c15f		 pdf-font-stream PDF embedded font (cff) at offset 0xCA5D 4579 bytes
font_03_cff_off0000ddf7.bin
7fcb2a96be8efe41beed6ca4e0dcb4e2075eadf2661e739382c6551ab5ea8078		 pdf-font-stream PDF embedded font (cff) at offset 0xDDF7 6093 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_04_cff_off0000f5f6.bin
1ef21f1e1c4f86b3961001d4efc8932ff9299446a6611d6cf3b2bf0874c2a878		 pdf-font-stream PDF embedded font (cff) at offset 0xF5F6 3453 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.