Malicious PDF — malware analysis report

Static analysis result for SHA-256 5869a023d74dab37…

MALICIOUS

PDF

355.7 KB Created: 2007-01-30 20:44:46 UTC Authoring application: PrimoPDF http://www.primopdf.com (via AFPL Ghostscript 8.13)
MD5: 69cf0241425014e97aa5c9975f2ea09f SHA-1: 97a2b8765d7248a0fa9e4872ca8583d3594d18c3 SHA-256: 5869a023d74dab3742194a45af65879c144486e12e7653e669a86ba0be4dd356
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and XFA form elements, indicating an attempt to exploit vulnerabilities. The presence of embedded script payloads and JavaScript actions strongly suggests the execution of malicious code. This code likely downloads and executes a secondary payload from one of the embedded URLs, which are characteristic of exploit delivery mechanisms.

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.primopdf.com)/Producer(AFPL
    • http://www.primopdf.com
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.w3.org/2001/XMLSchema-instance
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.w3.org/1999/xhtml

Extracted artifacts 24

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0147.bin
f8f36c0a620cddb1e7e8a5bd05b72bdd9e84de8405f850e9f8f00bbda317dbd1		 pdf-embedded-file PDF EmbeddedFile object 147 at offset 0x45BAC 946 bytes
embedded_file_obj0148.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 148 at offset 0x45D29 85 bytes
embedded_file_obj0228.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 228 at offset 0x4D9DD 86 bytes
embedded_file_obj0229.bin
b87342f34e6b15abb0173a3029b65d4c137f13140ed2eaf4d67b4a585d6ab695		 pdf-embedded-file PDF EmbeddedFile object 229 at offset 0x4DA92 2205 bytes
embedded_file_obj0230.bin
988a076596b61995d264400d9ed1148ab409e3bbad4710abfc706aca08e23c3c		 pdf-embedded-file PDF EmbeddedFile object 230 at offset 0x4DE88 11825 bytes
embedded_file_obj0231.bin
842129517975bd2d8171940318333c17f5909cc77e746c1194cb6ebe05de8b90		 pdf-embedded-file PDF EmbeddedFile object 231 at offset 0x4E710 305 bytes
embedded_file_obj0232.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 pdf-embedded-file PDF EmbeddedFile object 232 at offset 0x4E827 2423 bytes
embedded_file_obj0233.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 233 at offset 0x4EB0A 200 bytes
embedded_file_obj0234.bin
91ed78eaf144e347e1266d5b4c24362f979e35b2a81ce206c69f0598a0994713		 pdf-embedded-file PDF EmbeddedFile object 234 at offset 0x4EC00 1218 bytes
embedded_file_obj0235.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 235 at offset 0x4EE5D 80 bytes
embedded_file_obj0236.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 236 at offset 0x4EF08 56 bytes
embedded_file_obj0247.bin
92ca173e6339c62c3a9e5fca8c3f228cf4538707572fce03e6e5b7b0cc3d42f6		 pdf-embedded-file PDF EmbeddedFile object 247 at offset 0x53CD2 96 bytes
javascript_obj0036_000.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 pdf-javascript-stream PDF /JS object 36 at offset 0x921C 1604 bytes
javascript_obj0037_001.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 37 at offset 0x9404 902 bytes
javascript_obj0038_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 38 at offset 0x956E 2798 bytes
javascript_obj0225_003.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 pdf-javascript-stream PDF /JS object 225 at offset 0x4D387 1532 bytes
javascript_obj0226_004.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 226 at offset 0x4D573 870 bytes
javascript_obj0227_005.js
826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f		 pdf-javascript-stream PDF /JS object 227 at offset 0x4D6CE 2795 bytes
stream_022_off0001ddb4.bin
f857d030f37003a960bff8561144e0fccb7ed9478a1135d82d063474bfc8b6b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DDB4 1423374 bytes
embedded_pdf_script_0000273b.bin
39876b209b05040a8a6105d93e821dcb507b0d9448342468b8bed4dfb80d6e3f		 pdf-embedded-script PDF raw stream script payload at offset 0x273B 3121 bytes
font_00_sfnt_off0001203f.bin
f287dfdee8bdcf5a062679817ebef224bd3effa291896537036a2d0683dbec68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1203F 14220 bytes
font_01_sfnt_off00016664.bin
f90e5e6be7930b8384517310f982756d8ac634c4be0a56fa91c54f0efa0f8fb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16664 15988 bytes
font_02_sfnt_off000187bf.bin
b04823b4afb4f7c604b7738045f3ee39f47f70d1c44e77e2b6299d2bea1da8b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x187BF 26784 bytes
font_03_sfnt_off0001c546.bin
02fe4ee6c8837aaa7ec7979a1f8d03698364b7707bb724f4d6a398a5d52b8589		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C546 11740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.