Malicious PDF — malware analysis report

Static analysis result for SHA-256 35b62871216f21d9…

MALICIOUS

PDF

5.98 MB Created: 2010-10-29 12:32:42 +01:00
MD5: 385d4a43ac0cd4a136980c8925f29e5e SHA-1: d6ed6bc7bec9e136623b2ee4b5dbe7bda052fe3d SHA-256: 35b62871216f21d94a805cf89691fefda6cd8c8bfff900e55de22443d52f9662
126 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains embedded JavaScript and is flagged for exploiting CVE-2018-4990. It also contains multiple embedded PDF files, suggesting a multi-stage attack. The embedded JavaScript is likely responsible for initiating the exploit chain, potentially leading to the download of additional malicious payloads. The presence of an external URI, though benign, is noted.

Machine Learning

  • Nyx PDF Classifier clean score 0.0187

Heuristics 7

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000037c8.bin
000e37fcbf9c621b53fcabf9f95421a7cf635b8e6cd08707fc96a1c3679d1272		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37C8 59764 bytes
SDK_Reference_Manual.pdf
4874250da20335b97b03a7e1a8ba329899760cd9d2f70aab55fef2430c0c53c6		 pdf-embedded-file PDF EmbeddedFile object 147 at offset 0x8955A 48925 bytes
Instruction_Set_Reference_Manual.pdf
f627fc04ea3568871ee7f812b3e47fa56ecd0e96d5b5677c33846342a6fd3127		 pdf-embedded-file PDF EmbeddedFile object 150 at offset 0x1F1F02 149012 bytes
Cn_Standard_Library_Reference.pdf
2d30bd2efcf0db64d308267cd690b70f5987d3fb7d505dc8af45027963b85c91		 pdf-embedded-file PDF EmbeddedFile object 153 at offset 0x43A117 54462 bytes
stream_000_off00000060.js
c5627ef99cb8647c5c57c5fd23c422b3395372ea219835962d31c0a47286341d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x60 7147 bytes
font_00_cff_off00085eea.bin
46d6cefde37d45d18fcc5c29216199cff91c0e64b0a4892dc2e1aa4d3a90f4b5		 pdf-font-stream PDF embedded font (cff) at offset 0x85EEA 2466 bytes
font_01_cff_off000869b5.bin
8c6b806d6b4dbadc63b2abff6201ac51cb5e88f43d6bacc387340cd039ec4f43		 pdf-font-stream PDF embedded font (cff) at offset 0x869B5 1671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.