Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b8436512a13ab01…

MALICIOUS

PDF

73.5 KB Created: 2015-07-23 23:22:36
MD5: 0f3f32ed91ffac18827af99740c6e256 SHA-1: 9052d13d049e078b4d8e30260036f39436c575c0 SHA-256: 3b8436512a13ab0145f919b0c7855f409bee5146ef931c4ef86819fe0f05acbc
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, indicating an attempt to execute malicious code. The primary heuristic firings point to the presence of JavaScript and embedded files, with one embedded PDF child also exhibiting suspicious static findings. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, as suggested by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_IMAGE_ONLY_LURE heuristic suggests a deceptive lure, possibly to trick the user into interacting with the document.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2728

Heuristics 5

  • Embedded PDF child has suspicious static findings high PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
546f84dc1aa58a4dcd8606b248b179eb319bfafc6e296b4d1e4c45401240ad45		 pdf-javascript-stream PDF /JS object 5 at offset 0x1B7 249 bytes
javascript_obj0016_001.js
e8de1a84b26408a277abd22d1d096c119e198344ccce7fac267798e2945ec317		 pdf-javascript-stream PDF /JS object 16 at offset 0xDC8 232 bytes
javascript_obj0019_002.js
7f20df2e03d6932a34b3e75d6a08b685b7fee9f3237cef5b9493fec1b76708e3		 pdf-javascript-stream PDF /JS object 19 at offset 0x100E 153 bytes
javascript_obj0024_003.js
3da19bcfa12dbc532429619047b898e0f3bf7ddc708a614effc2b69cbb3536e2		 pdf-javascript-stream PDF /JS object 24 at offset 0x1E0D 4859 bytes
javascript_obj0016_004.js
6cb8e470d51246ef917aee654d05a4087ac4b90b76db7bf88bb87965c1904f68		 pdf-javascript-stream PDF /JS object 16 at offset 0x1267 8668 bytes
javascript_obj0024_006.js
15b8cb29e0de1949d246d64091e44c9a256b91f4ec749268cf8743bb5c1ef733		 pdf-javascript-stream PDF /JS object 24 at offset 0x1E30 5651 bytes
peepdf.pdf
e9958b248574775e32c8bd6d2a38f1689a1ec9124f1c62e5f887ec3fe93830b5		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0xF40D 13379 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.