Malicious PDF — malware analysis report

Static analysis result for SHA-256 61b094c506ef1550…

MALICIOUS

PDF

906.6 KB Created: 2012-01-25 14:31:50 +01:00 Authoring application: iTextSharp 5.0.5 (c) 1T3XT BVBA
MD5: 9339e60fcf3ff67dcb311f140789725c SHA-1: 6de4d37d40cf56b9a6ada6a29fbca0c2d0a59bda SHA-256: 61b094c506ef155089e596aad3dc264d0958491e769e826c13fb2b0441da0cd0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains a hidden external HTML iframe, indicating an attempt to load external content. The presence of XFA forms and optional content groups with action triggers further suggests malicious intent. The embedded URL http://www.ereading.cz/mamu.htm is likely used to host and deliver a secondary payload, which is then executed on the victim's machine.

Machine Learning

  • Nyx PDF Classifier clean score 0.0078

Heuristics 5

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ereading.cz/mamu.htm
    • http://ocsp.verisign.com0
    • http://www.monotype.comMonotype
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xmp/InDesign/private
    • http://purl.org/dc/elements/1.1/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://logo.verisign.com/vslogo.gif0
    • https://www.verisign.com/rpa
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
    • https://www.verisign.com/rpa0
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
    • https://www.verisign.com/cps0*
    • http://logo.verisign.com/vslogo.gif04
    • http://crl.verisign.com/pca3-g5.crl04
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html
    • https://www.verisign.com/repository/CPS��
    • https://www.verisign.com
    • https://www.verisign.com/repository/verisignlogo.gif0��
    • https://www.verisign.com/CPS0b
    • http://www.microsoft.com/typography
    • http://ocsp.verisign.com/ocsp/status0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_031_off0005f3fa.bin
10657ec12000410aef7800ccb60bb49e8ec7a7fb4484e43df81ad52e5f12679b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5F3FA 217266 bytes
stream_038_off00087f6b.bin
53f537d7cfbdfc2dec55a28c0c022cb3b491dbd8032cd115ce05c709e38be789		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x87F6B 14815 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
stream_061_off000a38e0.bin
b8e14d3f76a6bfb229cc1308d0413e3f7466762e9456c54f1308d37fed90792a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA38E0 11268 bytes
stream_065_off000aace0.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAACE0 367087 bytes
font_00_cff_off00040c42.bin
d317aed38ce47bc10cd9d8641f860264c831effefd8aa0513eaa5b0ddf105511		 pdf-font-stream PDF embedded font (cff) at offset 0x40C42 2444 bytes
font_01_cff_off000417a7.bin
e7dd052355330459d5386768d15102e3c95bebd16964df8155ae2db10940e5e4		 pdf-font-stream PDF embedded font (cff) at offset 0x417A7 3374 bytes
font_02_cff_off0004260f.bin
eb9bbc6b1b3023436407160fc06325b2853d25e11f46560b1245fbe64b2c6b95		 pdf-font-stream PDF embedded font (cff) at offset 0x4260F 1330 bytes
font_03_cff_off00042e98.bin
456e364e7b7904897569ca3391057f881b47024d8b3d8049729ccd64ea956a74		 pdf-font-stream PDF embedded font (cff) at offset 0x42E98 4393 bytes
font_04_cff_off0004401d.bin
8fec16731e9d674e8193448ba20b6af88bdd213921b84cbfeeae4a997c99375f		 pdf-font-stream PDF embedded font (cff) at offset 0x4401D 2236 bytes
font_05_cff_off0004d84e.bin
5474b9a4555a1c7f86080a51bf0fe7225ad805d8814c65b7805c41f19665b370		 pdf-font-stream PDF embedded font (cff) at offset 0x4D84E 1468 bytes
font_06_cff_off0005ede7.bin
2a0f46ade492154cac4e91ddd0c38af862240704e4829d0ba38c7a0706ba8618		 pdf-font-stream PDF embedded font (cff) at offset 0x5EDE7 674 bytes
font_08_cff_off00085572.bin
d127dc66b78d8410d3149fee87d42f2f6087710e71f530afb7c31b7c9d4f6e4e		 pdf-font-stream PDF embedded font (cff) at offset 0x85572 9903 bytes
font_10_cff_off0008bcd3.bin
f6a1542f07a1d784ba6aef8fab339a22d9435a7db2b3295a3658c500e2963bb9		 pdf-font-stream PDF embedded font (cff) at offset 0x8BCD3 14346 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
font_11_cff_off00090412.bin
9b06b8acf0f8820425dbeb9ece9b28215787e2ad40c03868fcde3a7e76bca403		 pdf-font-stream PDF embedded font (cff) at offset 0x90412 7616 bytes
font_12_cff_off00093302.bin
c024a058270a4a6c168480b47b5f244bef996f910511e23b814d886eab6d0095		 pdf-font-stream PDF embedded font (cff) at offset 0x93302 3436 bytes
font_13_cff_off0009c506.bin
21c7fd790c987cdacee691954566f6d8f598f1b0e95199ca09e64195199ade45		 pdf-font-stream PDF embedded font (cff) at offset 0x9C506 4311 bytes
font_14_cff_off000a1966.bin
321484bfa229b5d31c573afceda538ad7d5f9a5e45685c1fef4978973237fbd6		 pdf-font-stream PDF embedded font (cff) at offset 0xA1966 7609 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.