Malicious PDF — malware analysis report

Static analysis result for SHA-256 3abeb85e81e591af…

MALICIOUS

PDF

437.3 KB Created: 2011-09-20 10:38:42 +08:00
MD5: 50ccc39c08e09119ff02412baa3d3bc8 SHA-1: 104c015dbf6f4db367c909008fb3e9289f3c5f00 SHA-256: 3abeb85e81e591af663331ed332e0bb1e5e7d75572e3f5d164e9dbfc3a758807
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and RichMedia (Flash) content, indicating an attempt to exploit vulnerabilities. The presence of multiple embedded files, including suspicious secondary PDF content, further suggests a multi-stage attack. The primary attack vector appears to be leveraging PDF-specific exploits to deliver and execute further malicious payloads.

Heuristics 7

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xmp/InDesign/private

Extracted artifacts 22

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
3000b3469a8bd553f177da3f507a5ea2271a3dee1fd5d5343f41950837af583c		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x3B36 163 bytes
embedded_file_obj0002.bin
66b82b096ae83103365f40b9b767a5582b0a497e4589e7b9323eac0320c61808		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x3C27 1670 bytes
embedded_file_obj0003.bin
e763ac63c3d21786709e7f462b463575525d0e344202f42dbb96897a01541e78		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3F43 785 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x4138 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x4209 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4583 200 bytes
embedded_file_obj0007.bin
4273cd319df227c91b92e5509527bb4f6e1abfb3aa2beec2fb2adb93a8671f62		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4676 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x484D 56 bytes
stream_002_off000003ed.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3ED 1363 bytes
stream_003_off000005ca.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5CA 902 bytes
objstm_0047_00.bin
856830b101f28eaa61f2ccb44204fecaa2d0a9658055009fda363a9d3056ff76		 pdf-objstm-decoded PDF /ObjStm 47 0 obj (inflated) 2543 bytes
font_00_cff_off00010d67.bin
12ffef7e90f5a004f4df847404cda2d11e47efc9df8876572016379682375834		 pdf-font-stream PDF embedded font (cff) at offset 0x10D67 3539 bytes
font_01_cff_off00011bc5.bin
47f14645ffd997d8b379ff6462657e011145a98380a58a5aeab7e8ef30433312		 pdf-font-stream PDF embedded font (cff) at offset 0x11BC5 1774 bytes
font_02_cff_off00012417.bin
87e233d167105255f2928b38e35531a35c8e1795f7492830db2d5e054d95f216		 pdf-font-stream PDF embedded font (cff) at offset 0x12417 3788 bytes
font_03_cff_off00013a4e.bin
bd499d451ebc3508355df0f4753194ac1ef4df84774a4a83027920de19de024d		 pdf-font-stream PDF embedded font (cff) at offset 0x13A4E 12008 bytes
font_04_cff_off00018888.bin
8bad0a98b91469610fabce5a7b4f5457fd97e7b11bcf68c5934a5ed57d4d3797		 pdf-font-stream PDF embedded font (cff) at offset 0x18888 2979 bytes
font_05_cff_off0001f1f8.bin
d51eef5d1279165b0a6bc8c261d54b2fc233a7c4fe17931436c81b9ea947005e		 pdf-font-stream PDF embedded font (cff) at offset 0x1F1F8 528 bytes
font_06_cff_off00021f14.bin
306d95baed1a4cef6c8b3aecf131536611c72a29c038254fdfa9a4638abafd48		 pdf-font-stream PDF embedded font (cff) at offset 0x21F14 1608 bytes
font_07_cff_off0002270f.bin
aa0399ed4ecc70770425ed6951842117d0a416d44170714a69cbbfef052d19ef		 pdf-font-stream PDF embedded font (cff) at offset 0x2270F 7020 bytes
font_08_cff_off000241b0.bin
436f7afaca352b42b1759555dccf69f99da6cb12f4f233a43521a20a50263555		 pdf-font-stream PDF embedded font (cff) at offset 0x241B0 1258 bytes
polyglot_child_pdf_off0001003b.pdf
2453c1352e0676ed9a8a05ff4cb072269d22c09ff4a32c6c285e681b83b5b283		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1003B 382167 bytes
polyglot_child_pdf_off0006bd23.pdf
9a95102ad6b4d58a9a742832f61490a27e9b62855fe295b13214addfda321ad3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x6BD23 6127 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.