Malicious PDF — malware analysis report

Static analysis result for SHA-256 60146444745bf8a3…

MALICIOUS

PDF

554.2 KB
MD5: c13614a0758224cc1bb4dbe425d154cf SHA-1: 1a7e37fa04633c92f78386d2cef5b161a184c959 SHA-256: 60146444745bf8a3e3c145bbc314bd9b68a390edb5a6dd04a0775b5da930c3a8
64 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF file contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. This script is likely designed to exploit the CVE-2017-0199 vulnerability, as suggested by the presence of a related URL in the document's metadata. The embedded script's purpose is to download and execute a secondary payload, which is a common technique for initial access and further compromise.

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 4

  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
    • https://virustotal.com/en/file/f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66/analysis
    • https://msdn.microsoft.com/en-us/library/dd942265.aspx
    • https://sites.google.com/site/zerodayresearch/Analysis_of_the_Attack_Surface_of_Microsoft_Office_from_User_Perspective_final.pdf
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms691433
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms221027
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms691433\(v=vs.85\).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms221027\(v=vs.85\).aspx

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0007b310.bin
f838b7b7d325892da45f53e0873de226df2be34535ed6cc22efa7219e6107c68		 pdf-embedded-script PDF decompressed stream script payload at offset 0x7B310 567464 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.