Malicious PDF — malware analysis report

Static analysis result for SHA-256 39400107ce62146f…

MALICIOUS

PDF

1.89 MB Created: 2007-06-06 18:37:36 -04:00 Authoring application: AcroForm (via Adobe LiveCycle Designer ES 8.2)
MD5: eb65ef823db4c0c32a1738a4b4613d23 SHA-1: bc59ee618d449abd3dd13d8e7de1a3295cd18148 SHA-256: 39400107ce62146f1470b9e4340b19a611a87a4b74f4c85c6b1b229586e61c68
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains heuristics indicating JavaScript actions and embedded files, along with a strong indicator for an advance-fee scam lure. The document body is heavily obfuscated and truncated, preventing a detailed analysis of its content. However, the presence of embedded files, particularly 'embedded_file_obj4044.bin', suggests it may be used to deliver a secondary payload. The advance-fee scam lure is a common social engineering tactic to trick users into interacting with malicious content.

Heuristics 10

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 23

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj4042.bin
57a7e2da6826b03458ff8329edc3e4b4a4ee25ffc0b36b53e72269ebbf6c5e89		 pdf-embedded-file PDF EmbeddedFile object 4042 at offset 0x81BE1 163 bytes
embedded_file_obj4043.bin
a162c8f4b87db87462f946c207488e304d4131638335bde632e2125b8681af11		 pdf-embedded-file PDF EmbeddedFile object 4043 at offset 0x81CD5 7499 bytes
embedded_file_obj4044.bin
504707126fd89284111d1a379f8e3f101aa0a3277451603ec0a38082814dd825		 pdf-embedded-file PDF EmbeddedFile object 4044 at offset 0x825EA 3011551 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 71 eval/decoder/string-building token(s).
embedded_file_obj4045.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 pdf-embedded-file PDF EmbeddedFile object 4045 at offset 0xFD512 2423 bytes
embedded_file_obj4046.bin
d0b288445419710536fed2241d6371637c7788f18b5e828324f6ab06c4b7bfb2		 pdf-embedded-file PDF EmbeddedFile object 4046 at offset 0xFD7F5 326 bytes
embedded_file_obj4047.bin
2a2eec10e17d6d6442e40039b4ff997d990fa108e585901f0caab31db40cf5c6		 pdf-embedded-file PDF EmbeddedFile object 4047 at offset 0xFD90D 120096 bytes
embedded_file_obj4048.bin
c062e331781932a92702eb08aca653b67e6433f74f4404c34d0be5497a167325		 pdf-embedded-file PDF EmbeddedFile object 4048 at offset 0x100824 2959 bytes
embedded_file_obj4049.bin
af05f8185c725a70291567ae2112fa9a98b368528a7cc440552f0c0847d95121		 pdf-embedded-file PDF EmbeddedFile object 4049 at offset 0x100BEB 85 bytes
embedded_file_obj4050.bin
2330c1b851afed87eb4798e187604ebd3aabca933aefe2cf0af92358677d1df6		 pdf-embedded-file PDF EmbeddedFile object 4050 at offset 0x100C9B 36104 bytes
embedded_file_obj4906.bin
6a0974b6a6882b5dc1c6bc04f0f3a5682390100376bbc598a39b4cc40f33edc2		 pdf-embedded-file PDF EmbeddedFile object 4906 at offset 0x1843D6 162 bytes
embedded_file_obj4907.bin
c200fab6d2637aab177da3f8250995b9f45547edbb328f98c54acea435b7042d		 pdf-embedded-file PDF EmbeddedFile object 4907 at offset 0x1844CB 123358 bytes
embedded_file_obj4908.bin
d730141af2dfed60223df97020f957cb51988cd6db1081b372662d6ff4916e5d		 pdf-embedded-file PDF EmbeddedFile object 4908 at offset 0x1878BF 91976 bytes
embedded_file_obj4966.bin
08e003764df758b2777469e830741796d61c682ff51aab5c48b9cfd6327dcfa1		 pdf-embedded-file PDF EmbeddedFile object 4966 at offset 0x1A153B 122849 bytes
embedded_file_obj4967.bin
37831316087f6d80d36fc450b590c19793ce29da8e733b4d6d509faacc91b530		 pdf-embedded-file PDF EmbeddedFile object 4967 at offset 0x1A491D 91844 bytes
embedded_file_obj5020.bin
e349078141aab3b15896b7a3fb32872d39dc2ba16b5573a3ce362c53b529aa22		 pdf-embedded-file PDF EmbeddedFile object 5020 at offset 0x1B66BD 122278 bytes
embedded_file_obj5021.bin
1274436b111efee7137bf55d488d6663da8f48ab54e8490f23675e42f665d0bc		 pdf-embedded-file PDF EmbeddedFile object 5021 at offset 0x1B9A2A 91660 bytes
embedded_file_obj5069.bin
b6014e4fc786af7bce70f85c756f3c3a2ce1a24605766c44e112dc4d63d7c6a2		 pdf-embedded-file PDF EmbeddedFile object 5069 at offset 0x1CA5D0 122013 bytes
embedded_file_obj5070.bin
4451cb2043cc0e158c2fe143cc34d3ca6ea44b8eeef24e24bf7daad70e0f722a		 pdf-embedded-file PDF EmbeddedFile object 5070 at offset 0x1CD90D 91584 bytes
embedded_file_obj5110.bin
9fc9194a7127b59795670c696ac2b862621900ee3aa5bb8f693511803ede4026		 pdf-embedded-file PDF EmbeddedFile object 5110 at offset 0x1DB856 123188 bytes
embedded_file_obj5111.bin
c1e576a720efb4db9d705a62489379364e6c7e59390c9330bd7b9b98a0fd41f0		 pdf-embedded-file PDF EmbeddedFile object 5111 at offset 0x1DEC93 91459 bytes
javascript_obj4039_000.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 pdf-javascript-stream PDF /JS object 4039 at offset 0x8158E 1367 bytes
javascript_obj4040_001.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 pdf-javascript-stream PDF /JS object 4040 at offset 0x81775 902 bytes
javascript_obj4041_002.js
826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f		 pdf-javascript-stream PDF /JS object 4041 at offset 0x818D0 2795 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.