Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f3b4a6e78de75eb…

MALICIOUS

PDF

107.4 KB Created: 2018-06-12 09:41:10 -04:00
MD5: c51572bc0671e4cf09e39f9e252877a6 SHA-1: 4de76980cb5e9cd8637b0531f138dcf75449d587 SHA-256: 3f3b4a6e78de75ebf5cb885cb66f157730be13a78bdcaea0e23f41b3cc4db380
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains JavaScript that automatically executes upon opening, displaying a fake Adobe Acrobat update prompt. This prompt attempts to trick the user into clicking a link that submits form data to a remote URL, likely to download a second-stage payload. The embedded JavaScript and the fake update lure are strong indicators of a malicious document designed for initial compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9477

Heuristics 8

  • PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORM
    PDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
  • PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LURE
    PDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://office.internalportal.net/XTURWdlJsUTJhM2xIVGtwMVUweEhURnBVVG5KbFNUWlJWMjl5VDJoVU5IUjBWVmcwZVVGcWFUQjRTV052ZUhsWFUyVnpkMlJ2V25VcmFXSmhkRXRHZDBOMVF5OHdUbFZSU0dnNUwxSldTV2hZUVVoVlEyaFpWRUpLWm5aRVZVVlBaV1pCT0haVlIwczVNekE5TFMxbVpUUllZbnBDUkdaTGFUWXhaa3RwV2tsRFIweEJQVDA9LS03ZmJmNDBmOGEzNTRhY2Q5NjExMTFkNmU5NmY5ZjYxNTM3OWQ5MTg4?cid=901240900#FDF
    • https://office.internalportal.net/XUzB3dlJrSnVlRlJKT1V0a1NYRXhNbmhHZUVGUWRFWllNREpYUjJWbFRrZHJVazFxUjFvd2JuWnhNazFqUjJKSmQwRnpRalpHUVZaek9VSkRUMU5tV25veVpYUlRPRmRUVkhOQ2NIWTVOVTB3V205Q2RXOWFhMmRpY1VFNGFIQTVkMEpLYzJ0M1ozTjVaakp4ZURKNmIwVmliRlJWWlN0UFoybFFiRXRVV2paR2RUQTRabU53VVVFek9HTnRiMVoxU25oUllVbHhOV3hyUjAxVU0zVTJjVWxKU0c1TmJucElOMHB6UFMwdGRreGhVM0I1VVVGM2VYcDRVbE5vTUdoc2JtNTRkejA5LS1hYWUxMWJmNTMwNGU2YTdiNTBlZmVmNDM1ZmVkZjJhMWM3ZjhlMzdj?cid=901240900
    • https://office.internalportal.net/XUWt0NGEwWldhVGwyUTBFMWJYQnJNR2xCZDFONVpITm1kV1I0UzNkT1JFNVpOa3QzUzNCNVNrVjFVVzVDV2paaGJqQnBMMHR3VUdsUk1VcEZMMG80Y1d4SFpWUjRUQ3NyZUc1VVdXMUlZa2hUVEdkdFRURlhjM2dyZFU5clRXNXNXWGMwSzBNeGRqZHRTMlpYTUVjMFlsWTBSRGhPTUhGcVJHdEZTekpWUkhwQlozQk1UVzg1U25KTWRUZEVSU3RZUTA5RlV6Uk5RMkU0YjFSdVRVWXhWbkZhUjBOWk5YRjFZbGxWUFMwdFRVTTVSRVZFZFdSUVlsZGpaM0ZzVTFoWllWaHpRVDA5LS0zZTk3ODFjYzhkZTc5NjlhMDg0YzI1MjQ3ODExNGM4M2Q5Y2M2OThj?cid=901240900
    • https://office.internalportal.net/XWml0UUt6WkxWblZ6T1hoWk5uRTVkV3hZV1ZKUWEwUnVhVGxDVlVscmFXSjZZa0pZTW1JcmJteHpMM0kyTDBsUFFUUjBiVE0xUWxkbldWbEtaakZwWlhoM05uUlRWR0Z2Tm1OSFMzRlFkRTFGWXpabk1YUlJOVFY2TkZwNk9ERkxUalJVZVROdGVqUlRjVzF5SzIxb1lrRXJXV1UzY1hKd09YcFBaVkZrTUhCRE9VaEphVUZwYlZScGRqWnRTVVJaWTB0M1lXNVVNSE56UlRFclJtOUZOaTlDZFdoc00xZFBXRVpqUFMwdEt6VjJZMHR4TTNOT1JXRmpSWGRvZWxkeGQySlBaejA5LS1lZWFiZmE5MGIzOWVlZWNmY2I0YzdmNzYxZDNhZDEzNGI1M2Q5NGRm?cid=901240900
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
e181718bd71b81e591b758c2bfbb5b8e297332be1d0f4a76ee64997e100ec7e6		 pdf-javascript-stream PDF /JS object 12 at offset 0x180A 603 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0012_001.js
ef0a4be2b56f0ddca93d7e30f0c6d9638d1712b1bb1ce9af7d6eadd7c84f0ccb		 pdf-javascript-stream PDF /JS object 12 at offset 0x1831 103734 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
font_00_cff_off0001965b.bin
9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0		 pdf-font-stream PDF embedded font (cff) at offset 0x1965B 4575 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.