Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b344f329f721eef…

MALICIOUS

PDF

41.5 KB Created: 2012-08-18 22:16:42 +04:00 Authoring application: Adobe Designer 7.0
MD5: cf1344f9b0419b1e3da49a45fa7c750b SHA-1: e79ab1952639d68cc1b17e9e5e3add26215eaea9 SHA-256: 4b344f329f721eef28be722dbd5d222571ca8172860b78cc2362f24d1fefd6a7
74 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059 Command and Scripting Interpreter

The PDF exhibits multiple indicators of maliciousness, including embedded files and scripts, and is flagged by an ML classifier. The presence of XFA forms and AcroForm buttons suggests an attempt to interact with the user or exploit PDF features. While no specific URLs were flagged as malicious, the embedded nature of the content points towards a potential payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0040.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 40 at offset 0x7237 85 bytes
embedded_file_obj0041.bin
74e72782865ff6ca138226514e62c892ce7dcb4e146b07a6eb94a7cc83c4db41		 pdf-embedded-file PDF EmbeddedFile object 41 at offset 0x72E9 1528 bytes
embedded_file_obj0042.bin
9e104994c777cb5ba298d1b2788348e86e505209252c3ec45cbbb72686bcb6e1		 pdf-embedded-file PDF EmbeddedFile object 42 at offset 0x75BC 9539 bytes
embedded_file_obj0043.bin
3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169		 pdf-embedded-file PDF EmbeddedFile object 43 at offset 0x851D 144 bytes
embedded_file_obj0044.bin
016667cb6db3d4b5e9108b64d752c9bc222c236e42ffdd4ba2fbfa079602415b		 pdf-embedded-file PDF EmbeddedFile object 44 at offset 0x85E0 9159 bytes
embedded_file_obj0045.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 45 at offset 0x8C6D 212 bytes
font_00_cff_off00001334.bin
23831e143e2e1a484b95ee765b15d94562c951468b895c080e655667dc04ddf0		 pdf-font-stream PDF embedded font (cff) at offset 0x1334 31178 bytes
font_01_cff_off00008dd2.bin
157865f80dfb492c001072431d936183806ccce9519986db888c51c486757ebb		 pdf-font-stream PDF embedded font (cff) at offset 0x8DD2 1192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.