Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b868b30861a3cd2…

MALICIOUS

PDF

662.2 KB Created: 2004-02-19 22:44:49 -08:00 Authoring application: PScript5.dll Version 5.2 (via http://createpdf.adobe.com V5.5)
MD5: 17515efce4ffa2ba835e7aa8ec50356b SHA-1: 8199babe1df7fb47cf91d99d81b38c40b28a2d36 SHA-256: 4b868b30861a3cd243c8a0e4605b9699b87a11a1bf8af4588ac18719f5e5f73a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF file exhibits suspicious static findings, including duplicate object bodies and a secondary embedded PDF with significant static issues. The presence of embedded URLs, though currently benign, suggests a potential delivery mechanism. The critical heuristic 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' indicates that the embedded PDF itself has further suspicious static findings, pointing towards a multi-stage attack. The file likely exploits a vulnerability to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0120

Heuristics 3

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://createpdf.adobe.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000274d5.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x274D5 3144 bytes
font_00_sfnt_off00001bb6.bin
f71335d5388fc99a369879de90e33a85cb1d88f33a0571327b1832bf0bc34680		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BB6 24876 bytes
font_01_sfnt_off0001e7a6.bin
bcc5601da8f287871760367818ccec90cd34ab6eba775d23bdde725569701095		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E7A6 325000 bytes
font_02_sfnt_off0002b7b2.bin
4e033183f927ceeb19ccd9d0223bb671d4d33c3880963d6785273b10c0db2cbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B7B2 20872 bytes
font_03_sfnt_off0002ef5f.bin
2178dc2faa7986df961dd0f42661aba440d87c6da7fbe9231f2946f1a452c3a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EF5F 28512 bytes
font_04_sfnt_off00033dec.bin
d125620025cfa5f87a1a51322af8bd030fcd84fa6d238cbb6b7331a703496864		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33DEC 5752 bytes
font_05_sfnt_off00034c56.bin
a3a9bf35ce037c07422267cff18119f62f6478a374c901090f54abc4734a8ccd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34C56 18144 bytes
font_06_sfnt_off0004ac7b.bin
049e8fffa5993b3877d4a2ca6b866da73afad176cddde280c870122c69117d2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AC7B 472872 bytes
font_07_sfnt_off00061569.bin
40340b3398247cd48bf5d38ce18551c042b6419a0538e0120a24909b25232ad2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61569 26696 bytes
font_08_sfnt_off000663f1.bin
d7c54351889695d9d13e4ed3e1d70e13a73fef269dbe67b267ebed4cd08a453d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x663F1 26500 bytes
font_09_sfnt_off0007af25.bin
df13dc0513683b834d048c1c7bb9ae781c92a2b2f9162e2ae98e27284f728b81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AF25 11580 bytes
font_10_sfnt_off0007cad8.bin
1f56ebca93969a6fba633360d11a8b28ff6bd1ca25ec6967ae259739154538f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CAD8 6544 bytes
font_11_sfnt_off0007da5b.bin
28cf19321a6ee0a9470e19a7d3f893a1aff175f08a4d9a3335f39cf80a480ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DA5B 29652 bytes
font_12_sfnt_off00082c5e.bin
3286598dcffee0b4777e49e5c6ca56ff1dbe798db55844f85a0fe8e15c9afb7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82C5E 469400 bytes
font_13_sfnt_off000986ce.bin
8a1a0bbaf34cf6c144c701425cee2b58e64eb3081fef6abcc0e011c44c854a82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x986CE 320240 bytes
font_14_sfnt_off000a064a.bin
a136f03c887a08bff3bce253d91391ac5f627ad771d132b2bfe7a882cfd3f0e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA064A 19240 bytes
font_15_sfnt_off000a2623.bin
17faed01d27feacfc00be4a4220ca01e3538362c4464f8a91d8339663b27a6a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2623 14908 bytes
polyglot_child_pdf_off00038802.pdf
92571dda4b5e12ea5cdea3ee04ab74d90562306735806df91aa913231f72d07b		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x38802 446676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.