PDF static analysis report

Static analysis result for SHA-256 357451cd9dd08ecb…

SUSPICIOUS

PDF

128.0 KB First seen: 2015-09-14
MD5: 09896abb5e17cfb3012fdb8cdf829269 SHA-1: 9e3a5d77d7bec3e0b7763e04af6a0b5ea2529079 SHA-256: 357451cd9dd08ecb191489e64901f7cc104139cd8c2b4695247991523d9abaca
58 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged by an ML classifier as malicious with high confidence. Static analysis revealed embedded JavaScript streams and an embedded file, indicating an attempt to deliver a secondary payload. The embedded JavaScript is likely responsible for downloading and executing this payload, which is a common technique for initial access.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 5

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0756_000.js pdf-javascript-stream PDF /JS object 756 at offset 0x149A 576 bytes
SHA-256: 3d7a78daacf5c16d10d06d5df2973ed58ffedce9b760f56311e9e88cab506e08
Preview script
First 1,000 lines of the extracted script
{
if (app.viewerType == "Reader")
{
	if (app.viewerVersion < ADBE.Reader_Need_Version && !ADBE.Reader_Value_Asked)
	{
		if (app.alert(ADBE.Viewer_RMA_string_Reader_Old, 1, 1) == 1) this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
		ADBE.Reader_Value_Asked = true;
	}
}
else
{
	if (app.viewerVersion < ADBE.Viewer_Need_Version && !ADBE.Viewer_Value_Asked)
	{
		app.response({cQuestion:ADBE.Viewer_RMA_string_Viewer_Old, cDefault:ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle:ADBE.Viewer_string_Title});
		ADBE.Viewer_Value_Asked = true;
	}
}
}
javascript_obj0757_001.js pdf-javascript-stream PDF /JS object 757 at offset 0x15E8 904 bytes
SHA-256: 5d55acfba74415c1be36803cfafb9f0c69f9f7281e11287d1a4cfc3d229453f5
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined") ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined") ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 7)
{
	ADBE.Reader_Need_Version = 7;
	ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
	ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=EBRwRE" + "&r=" + ADBE.Reader_Need_Version;
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 6)
{
	ADBE.Viewer_Need_Version = 6;
	ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
	ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&w=EBRwRE" + "&r=" + ADBE.Viewer_Need_Version;
}
javascript_obj0758_002.js pdf-javascript-stream PDF /JS object 758 at offset 0x174C 647 bytes
SHA-256: da7be520468380600291d044c2116c9c34d9e6c03b21bea7099727b2284ced42
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined") this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat";
ADBE.Viewer_RMA_string_Viewer_Old = (new String("A newer version of Adobe software is required. For more information, copy and paste the URL below into a browser."));
ADBE.Viewer_RMA_string_Reader_Old = (new String("This document has been sent by a user of Acrobat Professional for your review. To participate in this review, Acrobat 6.0 Professional or Standard, or later, or the free Adobe Reader 7.0, or later, is required.\n\nClick OK to get more information on obtaining the latest version of Adobe Reader."));
stream_014_off00013252.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13252 54747 bytes
SHA-256: 52155ae972e61f3dfe2015cf297fb8c6abd4e4fd9c57a22dd21425b4cdfa7394
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
font_00_cff_off0000d973.bin pdf-font-stream PDF embedded font (cff) at offset 0xD973 8371 bytes
SHA-256: 19aee313c65922ac510aae7db32f9d03dbf9f58f57c71cb5a7091202cd2a53bc
font_01_cff_off0000f5f1.bin pdf-font-stream PDF embedded font (cff) at offset 0xF5F1 3052 bytes
SHA-256: f165139aebb2680b56f7606f418fd870b12ae32b472f2066813987de430fa1d2