Malicious PDF — malware analysis report

Static analysis result for SHA-256 5efe3d3c6f3b899b…

MALICIOUS

PDF

1.32 MB First seen: 2021-10-23
MD5: 0a38fa3af62329c66271c52344594b62 SHA-1: 309eeb885a3281509a904dc9c49cd5c48da1bdf5 SHA-256: 5efe3d3c6f3b899bb5ace7e43ff279424bf9b45ee7915e206b36647803710764
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The critical heuristic 'PDF_JS_EXPORT_LAUNCH_DROPPER' indicates that this PDF is designed to launch an embedded file upon opening. The presence of embedded JavaScript streams further supports this, suggesting the script is responsible for executing the payload. The ML classifier also strongly flagged this PDF as malicious. The exact nature of the second-stage payload is not discernible from the provided evidence, but the overall pattern is consistent with a dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9228

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment. (matched in decompressed stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/In PDF document text
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
    • http://crl.verisign.com/tss-ca.crl0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn PDF document text
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DIn PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0In PDF document text
    • http://www.adobe.com/type/http://www.adobe.com/type/legal.htmlIn PDF document text
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlIn PDF document text
    • http://www.adobe.com/type/http://www.tiro.com/http://www.adobe.com/type/legal.htmlIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00005728.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5728 59314 bytes
SHA-256: 5d8c54c8892629d69b6e748c625f40037eab9b997b1be34ade96365dbcb6bace
stream_011_off00022f6a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x22F6A 472646 bytes
SHA-256: 28a85c3e3cb6942f0b308687a7b1f0f10ec2fa10bd9a8a5438cb9d03304b9eeb
stream_014_off000aa397.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAA397 231294 bytes
SHA-256: 4e4d9647d2cccb4de06922b6f45465ff33fcd08b9e8677824cf2c9dc28b2a63f
stream_021_off0014e28e.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14E28E 20630 bytes
SHA-256: 7af7f81beac8b4a98e28270379bb399a78be835c8517a05e664c1ff2bafeb505
stream_022_off0014faea.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14FAEA 1423 bytes
SHA-256: b760e56352c257a2fc2f8ea3e1c92bbaaca99c7b36cb74a400dd11dbcb780832
objstm_0140_00.bin pdf-objstm-decoded PDF /ObjStm 140 0 obj (inflated) 1372 bytes
SHA-256: f75f06c44c70d73dfae660617390dc368cf956e2b0ae039db130239f80ee510e
font_00_sfnt_off00070543.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70543 94351 bytes
SHA-256: 1626e6329f65d0d35cdf751ec668ac4b8800d726707d01e7810bb8297d789dee
font_02_sfnt_off00129502.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x129502 358011 bytes
SHA-256: 3be790243582eb35724c4b762884b9e1288b428f0521f0397fe7fc8939e85a84

Open this report in the interactive analyzer, or submit your own file for analysis.