Malicious PDF — malware analysis report

Static analysis result for SHA-256 47fa031690781371…

MALICIOUS

PDF

451.7 KB Created: 2008-02-14 17:33:19 -03:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.1.0)
MD5: 4fb4b7861610ed26e9a1079601c4ea1e SHA-1: e340dcc9a1dcbb1879824d3f40993afaaaff1a0d SHA-256: 47fa0316907813716c28c9ceb332fea8fa2c57791f72586303f71ba55107f4f4
218 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

This PDF file contains embedded JavaScript and exploits the CVE-2009-0927 vulnerability, indicated by the 'Collab.getIcon' heuristic firing. The presence of a secondary embedded PDF with suspicious static findings and ClamAV detection as 'Pdf.Dropper.Agent-5303130-0' further confirms its malicious nature. The primary attack vector appears to be leveraging a known PDF reader exploit to download and execute a secondary payload.

Heuristics 8

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • ClamAV: Pdf.Dropper.Agent-5303130-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-5303130-0
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#

Extracted artifacts 20

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00002125.bin
63bbb2d19297ca0cd7b0f903ae45c881d68c58630880431144fcac6837733a17		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2125 4096 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
icc_00_off0001e3ae.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1E3AE 3144 bytes
font_00_cff_off0001ee11.bin
f369e349426d154f014f3718b21d41c01d9e73efb64db77a55ff53fbbcdf1825		 pdf-font-stream PDF embedded font (cff) at offset 0x1EE11 8282 bytes
font_01_cff_off00020a51.bin
258c3e79f42dcf17ba87c19e51e650a7db8df28d1500cde62a3099940aff1020		 pdf-font-stream PDF embedded font (cff) at offset 0x20A51 2861 bytes
font_02_cff_off0002151e.bin
b41b7e4fd6b1b36be858e5a8dd236c7c52a5460ac6cb812139e72176b417a817		 pdf-font-stream PDF embedded font (cff) at offset 0x2151E 2582 bytes
font_03_cff_off00021e39.bin
4dc9d88d336cf2b6e6685265352df1e30446def26108bc52adc488f497f804e1		 pdf-font-stream PDF embedded font (cff) at offset 0x21E39 1330 bytes
font_04_cff_off000223a1.bin
fcadfb05012ba3e2eaa14e05eb717f7fa7b45d08fed4e7df46905a8d5cd469de		 pdf-font-stream PDF embedded font (cff) at offset 0x223A1 2076 bytes
font_05_cff_off00022b5d.bin
78f988e9ff4403b9fc719a26fc1eec8bdfe38ee0513802881f85417cf46e8eac		 pdf-font-stream PDF embedded font (cff) at offset 0x22B5D 2066 bytes
font_06_cff_off0002331a.bin
83100bbda1ad7a57a4a774ac6917419d92f1f7904650717d71bb9158a4f8e72b		 pdf-font-stream PDF embedded font (cff) at offset 0x2331A 5281 bytes
font_07_cff_off000245f3.bin
e32ccd436f4a0ae50aee713b5216210e22b45ffd8deb3331a177bbc36a85bee3		 pdf-font-stream PDF embedded font (cff) at offset 0x245F3 1387 bytes
font_08_cff_off00024af5.bin
ea1418d3a5dfd2f9a604d9b4cde9a51ada59cf11570fced2ea88d7c5ff33a4d4		 pdf-font-stream PDF embedded font (cff) at offset 0x24AF5 632 bytes
font_09_cff_off00025490.bin
70c7b5694ae03646a5f2bc2d7b4e900785a447c8806f414088cec08d32171c86		 pdf-font-stream PDF embedded font (cff) at offset 0x25490 1419 bytes
font_10_cff_off00025c8e.bin
4511e30303d1e7d5154a7a9323df36c7e26932fdd07fdda64333c1036cf5643c		 pdf-font-stream PDF embedded font (cff) at offset 0x25C8E 2219 bytes
font_11_cff_off00026792.bin
c2ed3127206ec4d54ab8cb14f13eefef1ad85a93dbc5c9de8aaa901a351264b3		 pdf-font-stream PDF embedded font (cff) at offset 0x26792 1167 bytes
font_12_sfnt_off00062538.bin
076c1003699d69e6420681fffc4ecbe811f0f8f2a28080dd5a5c6a78e74fc27e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62538 6950 bytes
font_13_cff_off000637b1.bin
f46bd1e542bcdae97eb511f102d3f48a8fff2c37abe913148b1c96a69ad773bd		 pdf-font-stream PDF embedded font (cff) at offset 0x637B1 649 bytes
font_14_cff_off00066d69.bin
e5683a00a3d3f1515641eaffc0a9d3b36080d8d2bcf7f4d34a4d3c0bb45370fa		 pdf-font-stream PDF embedded font (cff) at offset 0x66D69 3873 bytes
font_15_cff_off00067d4a.bin
b93b6b6b293d275b88af40cf4a2b15786938fcf66991c4dd6bd8225a90c8437d		 pdf-font-stream PDF embedded font (cff) at offset 0x67D4A 1865 bytes
font_16_cff_off00068571.bin
6847be28d067f319d5664024dca883d9b09e7022cde0ee1760253a01465e9e79		 pdf-font-stream PDF embedded font (cff) at offset 0x68571 1539 bytes
polyglot_child_pdf_off00018462.pdf
cf790bfc31648d1950a9860cb07e1fd86fb1e33fcf7103c40744353a025e9319		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x18462 363133 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.