Malicious PDF — malware analysis report

Static analysis result for SHA-256 403e03c76747ba36…

MALICIOUS

PDF

1.03 MB First seen: 2016-10-06
MD5: 438ae0fb2d3fd207f26b3c4f896783cf SHA-1: 7eb681fc950f0aaaf18ba05aee7268f622f0df6d SHA-256: 403e03c76747ba36dd05d7235ad538a133f5bccd47d362a7a0fccfb3541acf8a
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file contains multiple embedded JavaScript streams, with one particularly large stream (stream_009_off000011e3.js) flagged as a suspicious extracted artifact. The presence of XFA forms and JavaScript actions indicates an attempt to leverage PDF features for malicious purposes. The primary intent appears to be the execution of embedded scripts, which are commonly used to download and execute further malicious content. No specific family could be identified due to the generic nature of the exploit and lack of clear indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5969

Heuristics 6

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
    • http://www.adobe.com/products/acrobat/readstep2.htmlReferenced by PDF JavaScript
    • http://www.adobe.com/support/products/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.adobe.com/supporReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DReferenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0Referenced by PDF JavaScript
    • http://www.microsoft.com/typography/0Referenced by PDF JavaScript

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000388.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x388 1363 bytes
SHA-256: 529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f
stream_003_off00000565.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x565 902 bytes
SHA-256: e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a
stream_008_off00000ea8.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEA8 1812 bytes
SHA-256: 1c8c657ec74e4ddcfef4fe0ef389ddc27b7399d5a00e22b998dbc614c4fc6274
stream_009_off000011e3.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11E3 166061 bytes
SHA-256: 94198d5a952d39e4239082ec4d9b6a98df96659b0e53b0622acc8e17f208183f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
stream_010_off0000a00d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA00D 2928 bytes
SHA-256: 0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f
stream_015_off0002ab85.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AB85 773832 bytes
SHA-256: 7fb21f41a0a31b67b2d1ca41213f7a14d60846746bec2b2408f9d0e51f2ced96
stream_016_off00098e98.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x98E98 750191 bytes
SHA-256: 75ecafcf49e148324938d8d0bc9fb850a6e03de240bbda28599aa614a76370a7
objstm_0042_00.bin pdf-objstm-decoded PDF /ObjStm 42 0 obj (inflated) 606 bytes
SHA-256: 47a070f8611d3429cb7d8b6fd62481bb135e9ff62f76e3829fa7c091ad0c19f0
font_00_sfnt_off0000a835.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA835 94351 bytes
SHA-256: 1626e6329f65d0d35cdf751ec668ac4b8800d726707d01e7810bb8297d789dee
font_01_sfnt_off0001a7dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A7DC 95674 bytes
SHA-256: cf348fedd852889da8a68c6bdb0a4de6dcc15902a81428dea787d0ba78eb8bbd

Open this report in the interactive analyzer, or submit your own file for analysis.