Malicious PDF — malware analysis report

Static analysis result for SHA-256 53c393d1534a4706…

MALICIOUS

PDF

957.2 KB Created: 2000-09-12 14:38:23 UTC Authoring application: FrameMaker 7.1 (via Acrobat Distiller 8.0.0 (Windows))
MD5: 8daa04fb939c95b02a7d376d75f36de3 SHA-1: 2f86c25fe418a3dc5ecf87858233e725fa647fa7 SHA-256: 53c393d1534a4706779752239e8d3804464f91def304ed62646e841b8fd47f86
246 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams and XFA forms with executable scripts, indicating a malicious intent. The critical finding of CVE-2007-5659 (Collab.collectEmailInfo) suggests exploitation of a known vulnerability. The presence of embedded scripts and the exploitation of CVE-2007-5659 strongly suggest the document is designed to download and execute a second-stage payload.

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0033_000.js
581a926b2e06be96bd070c0afcdf5d583f01f7478efb5ede49ec952327816962		 pdf-javascript-stream PDF /JS object 33 at offset 0x850 1604 bytes
javascript_obj0034_001.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 34 at offset 0xA38 902 bytes
javascript_obj0035_002.js
8a80adc1b657ee148de558aa29f7e42fbde3a74384eb4bc6c402994a84050d52		 pdf-javascript-stream PDF /JS object 35 at offset 0xBA2 6424 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_022_off000e2d41.js
47033358ba9953783ed3ee39201bc259c00d6a67db25c17e7291f2e51848e6a0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE2D41 11972 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
embedded_pdf_script_0000adcb.bin
124382112a33622cefb34e435e3f7b152988ce63ebd2b38ca4e8a5010ab8e8d7		 pdf-embedded-script PDF raw stream script payload at offset 0xADCB 2188 bytes
icc_00_off000091f1.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x91F1 3144 bytes
font_00_cff_off000023ca.bin
c9a90534081969cbe2c5f330cfb723f6e5946db740136c977cd39e9419032514		 pdf-font-stream PDF embedded font (cff) at offset 0x23CA 722 bytes
font_01_cff_off00002943.bin
8d639f3602ea651e2cee3e13acf0aed7a94d014dbb9bdba451cad95ce76a1487		 pdf-font-stream PDF embedded font (cff) at offset 0x2943 3836 bytes
font_02_cff_off00003ad4.bin
5bee0470b49b9a65d3f1c61c184b30a10d3d7183b2c7d5a26827247d58c1fd41		 pdf-font-stream PDF embedded font (cff) at offset 0x3AD4 4985 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_03_cff_off00005e33.bin
c6742687c962cd0c3a0e4cc30e5f812f7c9d716716e671042fd808bef6a82dbb		 pdf-font-stream PDF embedded font (cff) at offset 0x5E33 1358 bytes
font_04_cff_off0000651a.bin
0abf4732b233f533a39f9e043dce32c026361e1d2e62704d7799c3434f395fbb		 pdf-font-stream PDF embedded font (cff) at offset 0x651A 348 bytes
polyglot_child_pdf_off000e216a.pdf
7c9700e88dbef002459aa9d927bc2df717777b6d14fc45b48c2387236a0125a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xE216A 54106 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.