Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b37b0769102bcf5…

MALICIOUS

PDF

663.7 KB Created: 2008-06-18 20:18:49 -06:00 Authoring application: Acrobat Web Capture 8.0
MD5: 31a0d3e917ff8cf2350858c581377389 SHA-1: ad96f2128f46d8fca702dea1762a73f63efb9633 SHA-256: 4b37b0769102bcf59fab8dbbfeddc738e794ce2f7107e68495ec8c822e25105d
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript that triggers a SubmitForm action to an external URL. This behavior is indicative of a phishing attempt or a downloader, aiming to collect user input or deliver a secondary payload. The specific URL, http://www.homedepot.ca/webapp/wcs/stores/servlet/HomeDepotEmailRegistrationAddCmd, suggests a potential credential harvesting lure related to account registration.

Heuristics 7

  • PDF JavaScript submits form data to external URL high PDF_JS_SUBMITFORM_URL
    PDF JavaScript calls submitForm() with an external HTTP(S) URL. This can send form/document context to a remote endpoint or route the user into a credential-phishing flow. It is a behavioral indicator, not a parser exploit signal.
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://homedepot.flyerservices.com/noncached_admin/landing.asp
    • https://www.scanalert.com/RatingVerify?ref=www.homedepot.ca)/S/URI
    • http://www.homedepotopinion.com/)/S/URI
    • http://images.scanalert.com/meter/survey/www.homedepot.ca/32.gif)(http://www.homedepot.ca/wcsstore/HomeDepotCanada/images/HDPIPPage/en_CA/btn_tell_friend_pip.gif)]/Names[149
    • http://images.scanalert.com/meter/survey/www.homedepot.ca/32.gif
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947456&Ntt=947456&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113012&N=0&Ntk=P_PartNumber#)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm?langId=-15&storeId=10051&catalogId=&new=Y)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947456&recN=113012&Ntt=947456&langId=-16&Ntk=P_PartNumber&Dx=mode+matchallpartial&storeId=10051&Ntx=mode+matchall&N=0)/S/URI
    • http://diy.homedepot.ca/diy/landing.jsp?N=0&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=current_promotions)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&valueNav=1&N=1000004)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?storeId=10051&catalogId=&langId=-15&Nty=1&Ntx=mode+matchall&Ntk=level1&D=1&Dx=mode+matchall&giftNav=1&N=1000000)/S/URI
    • http://www.homedepot.ca/webapp/hdis/IS_index.jsp?langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=store_locator)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/OrderCalculate?URL=OrderItemDisplay?orderId=.&storeId=10051&catalogId=)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/HammerDropView?storeId=10051&catalogId=10051&langId=-15&eid=homepage_A1&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=freeshipping&eid=homepage_A2&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112001)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112212)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112873)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=113113)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/TopCategoriesDisplay?catalogId=&storeId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=4&storeId=10051&Ntx=mode%2Bmatchallpartial&N=113012&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&langId=-15&storeId=10051&N=0&Ntk=level1&Ntt=Weber&Nty=1&D=Weber&Ntx=mode+matchallpartial&Dx=mode+matchallpartial&srchFor=Brand)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=3&storeId=10051&Ntx=mode%2Bmatchallpartial&N=113004&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=974553&Ntt=974553&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113012&N=0&Ntk=P_PartNumber)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947487&Ntt=947487&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113012&N=0&Ntk=P_PartNumber)/S/URI
    • http://reviews.homedepot.ca/1998/947456/submission.htm?bvpage=action.htm&action=AddReview&format=embedded&user=__USERID__&return=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947456%26recN%3D113012%26Ntt%3\
    • http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947456%26Ntt%3D947456%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%3Dmode%2Bma\
    • http://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947456%26Ntt%3D947456%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%3Dmode%2Bmatc\
    • http://del.icio.us/post?v=4&noui&jump=close&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947456%26Ntt%3D947456%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%\
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/SendToAFriendDisplay?recN=113012&langId=-15&storeId=10051&catEntryId=120333&catEntryIdName=Cooking+grates)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?catalogId=&storeId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=1&storeId=10051&Ntx=mode%2Bmatchallpartial&N=112873&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=2&storeId=10051&Ntx=mode%2Bmatchallpartial&N=112996&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/TopCategoriesDisplay?catalogId=&storeId=10051&langId=-15)/FT/Tx/Type/Annot/MK
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/HomeDepotEmailRegistrationAddCmd
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947519&Ntt=947519&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113012&N=0&Ntk=P_PartNumber)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=freeshipping&eid=homepage_Footer1&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?display=design-centre&langId=-15&storeId=10051&catalogId=10051&eid=homepage_Footer2&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=gc_landing&eid=homepage_Footer3&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=affiliate)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=careers)/S/URI
    • http://www.homedepot.ca/communityaffairs/content/en_CA/CAHomepage.html)/S/URI
    +103 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0746_000.js
72381c5510866f6c9e53182413440adc5fa7e4ed0a731b59757f4b2ba74065f4		 pdf-javascript-stream PDF /JS object 746 at offset 0x7EDEA 192 bytes
javascript_obj0571_001.js
38f2463c8f63002568f82e406a2633f9ea35f139cf6ca504daec2f27c97fd2c9		 pdf-javascript-stream PDF /JS object 571 at offset 0x8FC3E 128 bytes
javascript_obj0651_002.js
ec69886a58b0eebfba0e177f3e3077734c56a5072d9d3f11b5b3c8a3af42d2f6		 pdf-javascript-stream PDF /JS object 651 at offset 0x7DF45 314 bytes
stream_061_off0001e21b.bin
963a60cd7d15593b98893002079a9ae9b7e96dbcc9dd6274d30c9f81995f4e2d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E21B 675843 bytes
font_00_sfnt_off0000803b.bin
123e20c3294c556b1fca0ef1c1690d9d345df1cc9c5b203c6d96c59ff799291b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x803B 21803 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.