Donoff — PDF malware analysis

Static analysis result for SHA-256 5722daf5c0b91363…

MALICIOUS

PDF

63.1 KB Created: 2017-05-09 11:24:55 +03:00 Authoring application: 1471779 (via iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version))
MD5: 3413d30f018d1a0a1c98d65097ce063d SHA-1: f98a35ab5f9fa47a49db5535b654cebb5bc99bf5 SHA-256: 5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211
176 Risk Score

Malware Insights

Donoff · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF containing embedded JavaScript, which is a common delivery mechanism for malware. ClamAV identified the file as 'Doc.Downloader.Donoff-10030369-0', indicating it's a downloader. The embedded JavaScript stream, named 'javascript_obj0006_001.js', likely facilitates the download and execution of a second-stage payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
GVJHDFDHW.docm
c284500746350029e00c691ebe1aeed356b5377fae2837f480248ba59d704162		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x920 73243 bytes
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: unlikely
javascript_obj0006_001.js
aba3635bf7633e58a12ceaa7d04b258d81639a88024a9de076086c8a30d3727f		 pdf-javascript-stream PDF /JS object 6 at offset 0xF579 668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.