Malicious PDF — malware analysis report

Static analysis result for SHA-256 57217b46f473713d…

MALICIOUS

PDF

5.91 MB Created: 2010-11-24 14:12:11 -05:00 Authoring application: Acrobat Distiller 9.4.0 (Windows)
MD5: aab6adef435489dfc1ef7654d0e1d13e SHA-1: 1d64615d17cca894a9237b7a1ea3b715adf79442 SHA-256: 57217b46f473713d94fd9552d51d9883880c42b4f91aeb9d8942edf516d897cc
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript and a high number of streams, suggesting obfuscation or exploit code. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document's content is designed to prompt the user for a password, a common tactic to hide malicious archives from initial inspection. No specific malware family could be identified.

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_114_off0011c901.bin
d5c40e5c0be84de0a971f99c6501bb5139ba6037d05c38647727fa01ff919f2b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11C901 1899912 bytes
stream_128_off001b4dee.bin
edde5fc426a257b5becab33cc4a9d3424c1f5b7678755faec5890621763aee5a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B4DEE 1916544 bytes
stream_147_off001ffa1f.bin
4e1640c494ab86c5634f4c6bcafda3da88241323d9d510a3c6a32055874adbd7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1FFA1F 1841448 bytes
icc_00_off00003970.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3970 3144 bytes
icc_01_off000241c9.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x241C9 408 bytes
font_00_sfnt_off0059a3ad.bin
683b9b2aac21bee6c334d2aaa19955034db4578c8b119a0af3223c142343cc65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59A3AD 24092 bytes
font_01_sfnt_off005baaa6.bin
18192db2bec9e0fda4ebc2f8b05a7811c31100fa6e648ea441a4c597962d4c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BAAA6 51568 bytes
font_02_sfnt_off005c1f90.bin
e53fa9a03df2775d9009301d1c14ee91556f0bcad8754c8712ece0bc724bd5b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C1F90 32468 bytes
font_03_sfnt_off005c654c.bin
91998ad8f302414e1ac04c6f016d7451aa3ca6f5684744019069f39d7c7d491d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C654C 20056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.