Malicious PDF — malware analysis report

Static analysis result for SHA-256 5701a4afdac90724…

MALICIOUS

PDF

799.5 KB Created: 2006-04-17 14:54:21 -05:00 Authoring application: Adobe Designer 7.0
MD5: a0527a9d2d66f558c8810cb844939662 SHA-1: 986ddc8f19540138e873490d3fc500a73120bbf9 SHA-256: 5701a4afdac90724db23a9a094f3fddde3941f7fd4c409e7ae722d2b6441598e
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript and XFA form elements, indicating a potential for malicious code execution. The presence of a callback phishing lure suggests the document is designed to trick the user into calling a fraudulent support number. While the specific JavaScript payload is not fully detailed, the combination of these elements points to a sophisticated social engineering attack. The benign URLs extracted do not contribute to the maliciousness assessment.

Heuristics 9

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0261.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 261 at offset 0xC3555 85 bytes
embedded_file_obj0262.bin
9cbd92abb6b8551841b84f8c3e5712246fb89f095f78206475067d93a2215467		 pdf-embedded-file PDF EmbeddedFile object 262 at offset 0xC3608 1770 bytes
embedded_file_obj0263.bin
2c169b016d9ab6702e9fc888e814df606638a68f95faf1b5e37147b5aed33a6a		 pdf-embedded-file PDF EmbeddedFile object 263 at offset 0xC3949 43978 bytes
embedded_file_obj0264.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 264 at offset 0xC5554 212 bytes
embedded_file_obj0265.bin
01e716ddb63b3361ea729a9b461be1b8b0456f3bdb47f8f0742f55e70f6528b5		 pdf-embedded-file PDF EmbeddedFile object 265 at offset 0xC564C 1088 bytes
embedded_file_obj0266.bin
4efa4bb5bbb12852ce26a76d91f04eebdb245f230b83215fbae4889d1935b14f		 pdf-embedded-file PDF EmbeddedFile object 266 at offset 0xC57E6 724 bytes
embedded_file_obj0267.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 267 at offset 0xC59C5 85 bytes
javascript_obj0253_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 253 at offset 0xC2DCE 870 bytes
javascript_obj0255_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 255 at offset 0xC2F55 2794 bytes
javascript_obj0257_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 257 at offset 0xC3247 1528 bytes
stream_006_off0000d61e.bin
33a9203d39b9a0067f2b84037fa691b9ff5476bb9e8795a25b6681abde039463		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD61E 350412 bytes
stream_008_off000429e8.bin
c68dc9021f3d481fece107bf920214b28f1ca6186695419e19805fa1dec5e5e7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x429E8 209502 bytes
stream_012_off000720d1.bin
d2a02c1661f0853adfa9bd6b23a47fba0adb0cb0bee27d55e2fe88708daa9f6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x720D1 339468 bytes
font_00_cff_off00001993.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x1993 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_01_cff_off00065559.bin
4803324ea76d8b2fbdcadd2df0552cac3e6a87a58bdc3af992b6d03b60f76d81		 pdf-font-stream PDF embedded font (cff) at offset 0x65559 71321 bytes
font_02_cff_off000a602b.bin
19bc268243419390efbe4d4a72616ba894a394856f2c9ca5fc68f8c8c3d28328		 pdf-font-stream PDF embedded font (cff) at offset 0xA602B 67274 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.