Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ee420dacc790f26…

MALICIOUS

PDF

1.12 MB Created: 2011-05-30 15:15:33 +02:00 Authoring application: Acrobat PDFMaker 9.0 for Word (via Acrobat Distiller 9.0.0 (Windows))
MD5: 63150e8c1596492acd861d89d136dff4 SHA-1: 00eef2c51e2cee2885704841cf6622bb13e2e0aa SHA-256: 3ee420dacc790f26b6efe4b2a1c1f70b8a939e59d16378a82833924c67c24c91
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains multiple JavaScript streams, with one specifically identified as submitting form data to an external URL. This indicates an attempt to exfiltrate data or download additional malicious content. The primary URL targeted for form submission is https://asp.netblanket.dk/svendborg/netutil/fdfhandler.aspx?task=refresh&esdh=acadre#FDF, and another external URI http://www.mst.dk/)/S/URI was also found. The presence of JavaScript actions and form submission points strongly to a malicious intent, likely related to phishing or malware delivery.

Heuristics 8

  • PDF JavaScript submits form data to external URL high PDF_JS_SUBMITFORM_URL
    PDF JavaScript calls submitForm() with an external HTTP(S) URL. This can send form/document context to a remote endpoint or route the user into a credential-phishing flow. It is a behavioral indicator, not a parser exploit signal.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mst.dk/)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0086_000.js
9d3b1a943bebfebe30596d6738219bc0cb46e47ad55ab9f5fc1eb4e954abdae4		 pdf-javascript-stream PDF /JS object 86 at offset 0xF0386 402 bytes
javascript_obj0262_001.js
68c97f4fcc0ba6a82148826f4462a269228103a1fc67f6ffa6dac51c98fe6f84		 pdf-javascript-stream PDF /JS object 262 at offset 0x107A75 183 bytes
javascript_obj0326_002.js
fe363206eaa56925455a19d587914ab946ab1381eee0288534ca7ce448804b58		 pdf-javascript-stream PDF /JS object 326 at offset 0x10B759 110 bytes
javascript_obj0337_003.js
9265c94490a8d813ca0b930d22af9a62a3b5b9dbbcf270624fdb2a6918587bc3		 pdf-javascript-stream PDF /JS object 337 at offset 0x10C447 165 bytes
javascript_obj0338_004.js
530735e33a691a7e55c677885de36e970db507014e982ca39d3a968e6f813856		 pdf-javascript-stream PDF /JS object 338 at offset 0x10C520 4306 bytes
javascript_obj1369_005.js
5882e82aa8cece86adcf41fe921eb9c0369e3a88df73cd7fb69009d794f4dc62		 pdf-javascript-stream PDF /JS object 1369 at offset 0xF74 316 bytes
stream_042_off000f53f0.bin
935661bcdf7ab72b80b9281240ac9e2264ef0c455d9434c2b90e2ca1f4e76ec0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF53F0 40174 bytes
icc_00_off00001f84.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1F84 3144 bytes
font_00_cff_off000afd77.bin
a8c85ed96e7b707e871f8dcee51f33affb934ee12d45d13c8e59002b24d61e94		 pdf-font-stream PDF embedded font (cff) at offset 0xAFD77 277 bytes
font_01_sfnt_off000bbb36.bin
bd30aed8ae68320eb058c6c8301e916daa47183b75a189bd7777c15c4970f4da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBB36 6116 bytes
font_02_sfnt_off000c3e3f.bin
454aaf5a762981d90de1e61ab5f9642d715f2266cd047b8d7e90bd971a20f0e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3E3F 10608 bytes
font_03_sfnt_off000e87f5.bin
0b3442a5dcced2030300296a2148b0268e2c3b7f9da43b270d9146a79b0cbfd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE87F5 23148 bytes
font_05_sfnt_off000fe579.bin
a0e7d6a872b31d461b93ce82539b181fc1fb831ad73c1c7c75ff44d9e61bc947		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE579 57248 bytes
font_06_sfnt_off001029af.bin
7e02d0f4776a1b32d87849a70173031033e69df9ea8070a7ba9dc62f44d58663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1029AF 51992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.