Malicious PDF — malware analysis report

Static analysis result for SHA-256 48c69dbb54ed034e…

MALICIOUS

PDF

235.6 KB Created: 2008-02-04 17:13:38 +01:00 Authoring application: Adobe LiveCycle Designer 8.0
MD5: bb328480732d52632a4e97193b241d93 SHA-1: fd8955a8e496761911847a391d87152c98872a3c SHA-256: 48c69dbb54ed034e34333d40de4d421aed0f495823285639de8643b3d48a27bb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams and embedded files, indicating a complex malicious structure. The presence of PDF_JAVASCRIPT and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics strongly suggests that the embedded scripts are intended to be executed. One of the extracted artifacts, 'stream_002_off00000af2.js', is particularly large, implying it may contain the primary malicious payload. The overall structure points towards a downloader or exploit delivery mechanism.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj2805.bin
79c483d4ad708fdf3151e02cc94ff117f64b9a20b56e32322f5d6dd1cd0eb370		 pdf-embedded-file PDF EmbeddedFile object 2805 at offset 0x2AF7C 5439 bytes
embedded_file_obj2806.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 2806 at offset 0x2B3E4 85 bytes
embedded_file_obj2807.bin
8cd5d719ff4f7535146e71991e51d94ae0f710eded232b21fa8ad92a715bbc8d		 pdf-embedded-file PDF EmbeddedFile object 2807 at offset 0x2B49B 172069 bytes
javascript_obj1243_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 1243 at offset 0x2A323 1535 bytes
javascript_obj1244_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 1244 at offset 0x2A510 870 bytes
javascript_obj1245_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 1245 at offset 0x2A66C 2798 bytes
stream_001_off00000645.js
5084dcf56e922559e11ad2ff6ca97107ca3a85983491b0fa38c9163c1313ff4b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x645 3207 bytes
stream_002_off00000af2.js
e6f4df56b20b60011691ea1d4dca469f722275ce116461a43df1d5235144cc0c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAF2 775115 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
stream_003_off00026668.bin
709f5f14906aba5477759b93bd35dc80d8ef3dcee93a12a7b69ad205651a51ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26668 4737 bytes
stream_004_off00026a3a.bin
b856cfd312a3a200c2f4debebd5491f36e6679f143bbc72743527303f5fe7295		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26A3A 259 bytes
stream_017_off000351ac.bin
149911e6baa09ee66beb265292001980bc751f14126ce83f45ba8ba4114f1133		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x351AC 50494 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.