Malicious PDF — malware analysis report

Static analysis result for SHA-256 458b06096c3d3b6d…

MALICIOUS

PDF

168.4 KB Created: 2008-04-23 16:42:36 +08:00 Authoring application: Acrobat PDFMaker 6.0 for Word (via Acrobat Distiller 6.0 (Windows))
MD5: 32e3e35aeba4e9a766dcb9760f2b09ac SHA-1: ee98b59f193cd571eb9970b6a775bf6e22cf3f67 SHA-256: 458b06096c3d3b6dfc91027f9f7593f846002d9882bddae8a3d34241abf6b9c0
288 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

This PDF file contains embedded JavaScript and an embedded PE executable payload, indicating it is designed to exploit vulnerabilities and deliver malware. The critical heuristic firing for CVE-2007-5659 (Collab.collectEmailInfo) strongly suggests exploitation of a known PDF vulnerability. The embedded 'ctfmon.exe' is the likely second-stage payload. The presence of a secondary embedded PDF with similar suspicious findings further reinforces the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 11

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PermissionError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ctfmon.exe
08a4f2446b9756ff03d232dd278508e29f82ab40e06c828c9dc92b8137785ee8		 pdf-embedded-file PDF EmbeddedFile object 29 at offset 0x1063 13253 bytes
javascript_obj0026_000.js
2135da6832c10ec741043c86d4e30015ea2528f20662a9cdc38f71ca882e64e8		 pdf-javascript-stream PDF /JS object 26 at offset 0xA98 3428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
polyglot_child_pdf_off00024d6c.pdf
10d2f83369a0442b4c8db813cea2c3185889f6cc4c77f1d871a3580015023fcb		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x24D6C 21599 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.