Malicious PDF — malware analysis report

Static analysis result for SHA-256 420134415476f8a9…

MALICIOUS

PDF

1.93 MB
MD5: fe716da19ea58a053d7e0028839b459d SHA-1: 6d638569a1b33d780ef75109bf61441936f7d532 SHA-256: 420134415476f8a943f6d8b244a6164ffccbbefffb1f364ef47a83a8997b53b4
88 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.003 Phishing: Spearphishing Attachment

The PDF file contains multiple high-severity heuristic firings indicating it is malicious. Specifically, it uses JPXDecode with a CVE-2018-4990 related indicator and includes a hidden external HTML iframe. The presence of an embedded URL pointing to 'http://www.ereading.cz/mamu.htm' suggests this document is designed to lure the user to a malicious external resource. The XFA form suggests a complex document structure that could be used to hide malicious content.

Heuristics 4

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ereading.cz/mamu.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xmp/InDesign/private
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/swf/1.0/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off000a5467.bin
1c32657f48799eaf7a11d87f0a4c2d0eecb0c87056dcdb3c8d5016fb88e31b0e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA5467 1800 bytes
stream_050_off001a937f.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A937F 367087 bytes
font_00_cff_off00073e47.bin
e4d39eb36bd14379832fa6b009f887347ad44e06b61580116c16191256964802		 pdf-font-stream PDF embedded font (cff) at offset 0x73E47 2444 bytes
font_01_cff_off00074710.bin
c3a46d972e834dbab2a6ce0c040d57de271c7904e5e1c32762acde65da4210f6		 pdf-font-stream PDF embedded font (cff) at offset 0x74710 3374 bytes
font_02_cff_off000752a4.bin
9f8925f7f0075bdbe0c3ebacf3678a6e10f2ec0829a74c368152574f1eb68539		 pdf-font-stream PDF embedded font (cff) at offset 0x752A4 1330 bytes
font_03_cff_off000758cb.bin
cabacfa0d580056793e23966f69b36cd4c33551462080de7733195708cc6a5d0		 pdf-font-stream PDF embedded font (cff) at offset 0x758CB 4393 bytes
font_04_cff_off00076761.bin
5f232ad58c7b0dcdb31baffe7275c1fe3924b1a6eb5c9a0500fa324ae968957d		 pdf-font-stream PDF embedded font (cff) at offset 0x76761 2236 bytes
font_05_cff_off0007f461.bin
9d3b45ca4c358df111155265f13936ebfdf7f51f748c75266c49369c780c1ee5		 pdf-font-stream PDF embedded font (cff) at offset 0x7F461 2650 bytes
font_06_cff_off001dd200.bin
a946691d9f0286e1e770ac7d4e9b1087ae0ccd1bd28a85f84884bdd4ff19236e		 pdf-font-stream PDF embedded font (cff) at offset 0x1DD200 14500 bytes
font_07_cff_off001df9c7.bin
042deeb580841d79d561ccae977bc8bde88dd1a96589925a2794ea42ed0593af		 pdf-font-stream PDF embedded font (cff) at offset 0x1DF9C7 757 bytes
font_08_cff_off001dff25.bin
fe4fc8487575aaee37b5f523406970074af161303e723cab6dd7dd264d18755e		 pdf-font-stream PDF embedded font (cff) at offset 0x1DFF25 15293 bytes
font_09_cff_off001e5e95.bin
611496e3a65592d0ccba8ee1ecd6ec9c24f57792c03e301cabbec777fd6d307d		 pdf-font-stream PDF embedded font (cff) at offset 0x1E5E95 7589 bytes
font_10_cff_off001e710a.bin
92aaa257ea420ba424acbbb31ca8c913f909a8f71801393a2d7453be59f25fde		 pdf-font-stream PDF embedded font (cff) at offset 0x1E710A 1224 bytes
font_11_cff_off001e77d1.bin
3917a09837ba0fbc0d1bbc903516166fb68a56f68606a73425b80e2f5fb7eb8a		 pdf-font-stream PDF embedded font (cff) at offset 0x1E77D1 9785 bytes
font_12_cff_off001e91fa.bin
5a2d43fb7f06394372db1c03f18c2e66d7c182d1e2a02b3785de08f0d8ee3c04		 pdf-font-stream PDF embedded font (cff) at offset 0x1E91FA 447 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.