Malicious PDF — malware analysis report

Static analysis result for SHA-256 673e0fbae9415c7b…

MALICIOUS

PDF

336.0 KB Created: 2011-06-30 15:13:40 +08:00 Authoring application: Writer (via LibreOffice 3.4)
MD5: 114186edfa48182a7fb318d1fd295c2b SHA-1: 4cd41ac5e6fdd5c06862277c331b18d2414bd2b7 SHA-256: 673e0fbae9415c7b38be01de8f548e0d587ea4981b289817220952b57d72781d
306 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS_EXPLOIT_CLUSTER. The JavaScript itself is minimal, only triggering an alert box, but its presence within an embedded PDF child and XFA form suggests malicious intent. The ML classifier also strongly flagged this PDF as malicious. Given the lack of specific malicious URLs or complex script behavior, the primary threat is likely the exploitation of PDF vulnerabilities or the use of the alert as a social engineering lure, potentially as part of a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 11

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 37 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://cgi.adobe.com/special/acrobat/update

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2bbe69c5e9b01e09ead01d39980623115955d79663f86ee38c3e26d62468aede		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x380F 163 bytes
embedded_file_obj0002.bin
2db2fcfa6c7f0b58af35cd0b7a546eab3e22594fa9e6a322d8448248c1371742		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x38FF 1683 bytes
embedded_file_obj0003.bin
6824595d40fe37ff3a17665623abb424df29f2bf3924106e83b1192a2fc6fa0d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3C21 784 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3E15 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x3EE6 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4260 200 bytes
embedded_file_obj0007.bin
41b90835819d2fc9adfbed1f624b97daf557be436627d29ad24fdfcbedc74198		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4353 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x452B 56 bytes
embedded_file_obj0072.bin
676abdf89259991bbde6a57a2423c629870a437bc477a903574eba3570861622		 pdf-embedded-file PDF EmbeddedFile object 72 at offset 0x7E20 162 bytes
embedded_file_obj0073.bin
b646c863068dd809ba1fe5481aecb499465f1bd3a044f7733fe3d3935e312efb		 pdf-embedded-file PDF EmbeddedFile object 73 at offset 0x7F10 96 bytes
javascript_obj0075_000.js
b4c77449deb96f0bd59c15743f54f9192b3b7e5a2f49d6a129eb783aa7e7d78f		 pdf-javascript-stream PDF /JS object 75 at offset 0x7FF5 44 bytes
stream_002_off000003d6.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D6 1363 bytes
stream_003_off000005b3.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B3 902 bytes
objstm_0041_00.bin
cc0d110077f81314ac59a491675430d25faa86bdc2526ed35971cf361ac83464		 pdf-objstm-decoded PDF /ObjStm 41 0 obj (inflated) 1575 bytes
stream_006_off000088d4.js
ded940b77b9a3e0e4eaa9475cad5e9eb88e987a0b7ab9f46cb752799f3aca6c4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x88D4 38286 bytes
objstm_0016_00.bin
3cbf19b006091b3e421e5c1cd1c8127430c1fddb99de414cc59098dfd09ec272		 pdf-objstm-decoded PDF /ObjStm 16 0 obj (inflated) 967 bytes
polyglot_child_pdf_off00029e19.pdf
417b447b3fe496379090e989b3dae4c3b33a5a259a91b18cf9b75eaa0e98677c		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x29E19 172544 bytes
polyglot_child_pdf_off0005282a.pdf
9a95102ad6b4d58a9a742832f61490a27e9b62855fe295b13214addfda321ad3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x5282A 6127 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.