Malicious PDF — malware analysis report

Static analysis result for SHA-256 41364dd1895525d4…

MALICIOUS

PDF

946.7 KB Created: 2010-06-11 23:23:27 +08:00
MD5: b26d1f115fac5de9304fc5bd158f9b25 SHA-1: 6685dc6f159971755eb5bd08812f1a6b72a48329 SHA-256: 41364dd1895525d42449e67f4a63b4d65fc736e3b2350f3f20fb63514cdda5bd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and RichMedia (Flash) content, indicating an attempt to exploit vulnerabilities within the PDF reader. The presence of embedded files and JavaScript actions strongly suggests that the primary purpose is to download and execute a second-stage payload. While specific URLs for malicious content were not extracted, the structure points to a common delivery mechanism for malware. The benign URLs extracted are likely standard PDF namespace declarations.

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
84270147774bafb693cefa5666d1072d25266372a748def076468f6f646a453f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x128F 163 bytes
embedded_file_obj0002.bin
a8b1b6c4a7495d6353e06643ee59323911843844524450bf1068d247661813e3		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1380 1590 bytes
embedded_file_obj0003.bin
bce51576f361c2a5cb1b5786fb6626eb34a5bbe13e3cf964f10d091b40da35a9		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167B 4747 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EBF 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FAD 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2327 200 bytes
embedded_file_obj0007.bin
733f6d5b45b2367069129a768a516fb18c67d8eea786404ef5632cf493f4226c		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x241A 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25F2 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
76654a8c7f3db10d22b5fa1d52fd1e1da1b4bd281c96ca56b72ac17ad2ca1c62		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.