Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c087a65f6f126e3…

MALICIOUS

PDF

48.9 KB Created: 2010-05-20 18:09:34 Authoring application: PScript5.dll Version 5.2.2 (via GPL Ghostscript 8.15)
MD5: 470f8340e0e4d51b0469efc493d4e916 SHA-1: 730545b2491f10ba8aa642afbd4cdd8f9163eff7 SHA-256: 4c087a65f6f126e3ede390161b13cfce4433b4196f84032d6d73882ea8a06a1a
72 Risk Score

Malware Insights

MITRE ATT&CK
T1557 Adversary-in-the-Middle T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The PDF contains an embedded Windows executable payload, indicated by the PDF_EMBEDDED_PE_PAYLOAD heuristic. The embedded artifact is named 'rAiN-ViV.b.exe'. The presence of external URIs, though benign in this case, suggests a potential delivery mechanism. The file's structure and embedded executable point towards a downloader or droppper functionality.

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfill.com)/S/URI
    • http://www.pdfill.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
rAiN-ViV.b.exe
8f3e0ffd52e0eeb99209da3cd0826781549d3b4a048cda2eb4a3bf2dadebbb6b		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x61 22528 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.
font_00_sfnt_off0000a8de.bin
f80b0f4ed1f8856664a60b6b26efcf7b4cf00850a84cc2ba93a01dcf124aafaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8DE 9148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.