Malicious PDF — malware analysis report

Static analysis result for SHA-256 36ea860638627d1c…

MALICIOUS

PDF

1.56 MB Created: 2010-05-22 09:44:50 Authoring application: PScript5.dll Version 5.2.2 (via PlotSoft PDFill 8.0)
MD5: a7841e0e2aa4972fe211effb710fa074 SHA-1: ca9f1ad98f73220cf6d101f5cbd02db4a1526f04 SHA-256: 36ea860638627d1c065452776bea8980bce21c1380c3d2adac83e9181dd16173
192 Risk Score

Malware Insights

MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass T1105 Ingress Tool Transfer

This PDF file contains embedded Windows executable payloads, as indicated by the PDF_EMBEDDED_PE_PAYLOAD heuristic. ClamAV detections confirm the presence of malware, specifically Win.Trojan.FakeAV-11298 and Win.Worm.WCGen-1. The embedded executables, GqwertyUniv.exe and IC.exe, are the likely second-stage payloads. The presence of external URIs suggests a potential download or C2 communication vector.

Heuristics 7

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Win.Trojan.FakeAV-11298 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.FakeAV-11298
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfill.com)/S/URI
    • http://www.pdfill.com

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
GqwertyUniv.exe
2b394a0b53da13f6b23ae7a6fa4d777b0f23b13b23a3b07eee80408bcf8ae0bd		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xDE 1475072 bytes
Detection
ClamAV: Win.Trojan.FakeAV-11298
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
IC.exe
77c739b34025f1c53b9c5c753096c0435d4e92395bd94dd116a01d7e1501d2db		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x168097 159744 bytes
Detection
ClamAV: Win.Worm.WCGen-1
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
font_00_sfnt_off0018ef55.bin
0caf93e9d9abd15da4094a330d02e4bf48a84797891723d50a3f7572cccb1d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18EF55 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.