Malicious PDF — malware analysis report

Static analysis result for SHA-256 48082e9bad6dbb08…

MALICIOUS

PDF

516.9 KB Created: 2010-02-23 12:29:53 -08:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: a8b29ffb1e7f04033183e1d2d3e96adb SHA-1: 063b554ad894cda2f35250698de422238f536c2d SHA-256: 48082e9bad6dbb0874b10db00ec10f0f2fe492a035a4a51812adaaca992257d1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. One of these streams, identified as a suspicious extracted artifact, likely functions as a downloader for a second-stage payload. The presence of embedded files and XFA forms further suggests a complex document designed for malicious purposes. The exact payload and download mechanism are not fully discernible due to potential obfuscation, but the core intent appears to be the execution of external code.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x56 85 bytes
embedded_file_obj0003.bin
0cae1494b9c99505bf126e683a1a8be36bc8d5e793ab829e266d6e2fd62ccac3		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x108 1466 bytes
embedded_file_obj0006.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x1133 2928 bytes
embedded_file_obj0007.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x14A0 200 bytes
embedded_file_obj0008.bin
d51b9fc28b592405fb598e711d1495e1421571073bc2e8542d55389768716c06		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1593 835 bytes
embedded_file_obj0009.bin
e65f1e07bc965092b3153e64a1e8777a909cc47a98c0e2a10d38c47def2e6652		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x176C 291 bytes
javascript_obj0047_000.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 pdf-javascript-stream PDF /JS object 47 at offset 0x12A04 1532 bytes
javascript_obj0048_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 48 at offset 0x12BEF 870 bytes
javascript_obj0049_002.js
826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f		 pdf-javascript-stream PDF /JS object 49 at offset 0x12D49 2795 bytes
stream_002_off000003c7.js
b8a043b1f5d764055586cb478005cc0d36dcefc9f5e42d993c24efccc7f767af		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3C7 6517 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
stream_003_off00000f6b.bin
f47c3dc8c4eeb64abc2cc332be719add15af6ce6dfdcdb477c08a1aefdbe7477		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF6B 11740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.