Malicious PDF — malware analysis report

Static analysis result for SHA-256 6acdb15233c20060…

MALICIOUS

PDF

5.98 MB Created: 2010-08-31 13:14:52 UTC Authoring application: Microsoft Word (via Mac OS X 10.5.8 Quartz PDFContext)
MD5: aa7324f9424103f43fe4b6d3ffc5f9c2 SHA-1: 2d0e782ca5da0cc89378019bb6880d4ceb385053 SHA-256: 6acdb15233c200606e940e3e72445dbf022cc86ccb196bcb5c7dc2b28e860dd4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and multiple embedded files, including other PDFs, suggesting a multi-stage attack. The 'SE_ADVANCE_FEE_SCAM_LURE' heuristic strongly indicates the document's purpose is to trick the user into paying money for a fake prize or delivery. The embedded JavaScript, while not directly executing malicious code in this instance, is part of the PDF's overall exploitability and obfuscation strategy, contributing to the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 9

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.liveleak.com/view?i=ca2
    • http://www.elsevier.com/copyright
    • http://www.tandf.co.uk/journals
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/iX/1.0/
    • http://www.elsevier.com/copyright)/S/URI
    • http://www.iec.ch

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
JBF.pdf
874c341e863708e09aff6df9bc940aa1aa4fc89851892c03b4bd1cd33c0d1953		 pdf-embedded-file PDF EmbeddedFile object 1623 at offset 0x2D6854 111390 bytes
tpilpel.pdf
067d599d379e2ae316b06037ab631c8d7bfc94db83e56cf4ef0a56caad5b54ff		 pdf-embedded-file PDF EmbeddedFile object 2533 at offset 0x40445C 109427 bytes
javascript_obj0988_000.js
736c69993d4cd953676f5971bd943955c344f3001c77f281afd5d8df5a456b51		 pdf-javascript-stream PDF /JS object 988 at offset 0x139C 1379 bytes
icc_00_off00002cc0.icc
2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63		 pdf-icc-profile PDF ICC profile at offset 0x2CC0 1456 bytes
icc_01_off0008f5e9.icc
4abc5b9b591346b595d9a01568d01ebe51ae28c4e1fd99a95b1aef5b6babfbca		 pdf-icc-profile PDF ICC profile at offset 0x8F5E9 704 bytes
icc_02_off0009cdc8.icc
6a2219c0dc16d6d0f4ef4d0ac2fd9fc75257ab7babce4331dfa3c2ba3cb000ae		 pdf-icc-profile PDF ICC profile at offset 0x9CDC8 704 bytes
icc_03_off001170f9.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1170F9 3144 bytes
icc_04_off0012cbeb.icc
94722fe267764797f8887379cc0d355f5118beb3d186e087bfbd9e1a3f2d3f49		 pdf-icc-profile PDF ICC profile at offset 0x12CBEB 1296 bytes
icc_09_off001bcc9d.icc
eda03c8910c87b8a3e3c1ffbc35d223da8ae1d0dcfbad0c153c4eefbff436723		 pdf-icc-profile PDF ICC profile at offset 0x1BCC9D 1328 bytes
icc_11_off00320867.icc
eefbe1e4f64e2d3dc1614343a47c57aa5ab1e88e8ee1f8bc7f22cd097595bb65		 pdf-icc-profile PDF ICC profile at offset 0x320867 3588 bytes
icc_12_off0032145c.icc
3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301		 pdf-icc-profile PDF ICC profile at offset 0x32145C 3144 bytes
font_00_sfnt_off0000585c.bin
21210c1056784d889d51f4cd13a709dabff8d7f1fe54cbdcaac2cdcd6f523a75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x585C 12216 bytes
font_01_sfnt_off000079e5.bin
3379d31eca9426bfd9c885143dfda9d5563c2431b797a5ba2f122cbe487d8217		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79E5 12320 bytes
font_02_sfnt_off0000a017.bin
a96d80af6c29227d7d1c97a032a10f4037e24a64870902cd42bd2f15e86f2a24		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA017 18116 bytes
font_03_cff_off00029c93.bin
12b6eec1a7a22b655d325f776d188ee57e8aed9c1c9be9d5b02f735d2e782a40		 pdf-font-stream PDF embedded font (cff) at offset 0x29C93 887 bytes
font_04_cff_off0003bd4e.bin
2bcb8be84e320391ae06202f1586924a7e1927f2fd6d41932d92fa1134af1a8a		 pdf-font-stream PDF embedded font (cff) at offset 0x3BD4E 2139 bytes
font_05_cff_off0003c72f.bin
1a58fae190d4d0bf7307b7d25d77cfff63ff863e3fceaf640f27e578d20e8d9f		 pdf-font-stream PDF embedded font (cff) at offset 0x3C72F 2745 bytes
font_06_cff_off0005263a.bin
4ef1833a96021a014c7f793a7a0bb58cd422c8ed5adb30c672f84c87b1179629		 pdf-font-stream PDF embedded font (cff) at offset 0x5263A 509 bytes
font_07_cff_off000529c8.bin
b2e0ac974111494926cb15c0406d0e3c75afdd4e0fc7efa0b71b4c36efc0b715		 pdf-font-stream PDF embedded font (cff) at offset 0x529C8 1136 bytes
font_08_cff_off0005f951.bin
1f98d07656c20a8cdb53e2d67b599cbab8615ae08d50889d702ac95cdb4763d1		 pdf-font-stream PDF embedded font (cff) at offset 0x5F951 2026 bytes
font_09_cff_off00075d06.bin
671ab432c7759de8d8dd0b811561a156c4bb0c0a6e4214f3e29c63f39da6b817		 pdf-font-stream PDF embedded font (cff) at offset 0x75D06 1757 bytes
font_10_cff_off00076596.bin
27c1fde03b201537555a16c4e44308330cd0e6aa96e69bb0f04e64474bc4f94c		 pdf-font-stream PDF embedded font (cff) at offset 0x76596 216 bytes
font_11_cff_off000767d1.bin
b50589bb37dd51d6cafe2520ddbcc512bd5e53ffa42f41ef5b8b2d97266eb0f8		 pdf-font-stream PDF embedded font (cff) at offset 0x767D1 988 bytes
font_12_cff_off0007a99a.bin
f6b824a181e392bcdcb58cc110aa77ef297ef55eae78abd9774dbe454c838417		 pdf-font-stream PDF embedded font (cff) at offset 0x7A99A 1637 bytes
font_13_cff_off00084425.bin
733a898095268cada7711cf8cb26e0ab13fb88f0984452fe3da44c8de8b9cc68		 pdf-font-stream PDF embedded font (cff) at offset 0x84425 868 bytes
font_14_sfnt_off00091700.bin
e628fa64688e3d5761dc73c28cfe9a9eb015844bab61943c94ce9bb83e2fd866		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91700 7416 bytes
font_15_sfnt_off00092c4f.bin
a4c52261cbafb7c0671777736f7f9bd3c5d8f92e6c5aad8b530e0fc5431fe2ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92C4F 5724 bytes
font_16_sfnt_off00093d29.bin
8d328985c6a122943206d1fb74f9a1cd75b4bb1c56590194f7744100efa0855b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93D29 6320 bytes
font_17_sfnt_off00095002.bin
f85c4a006be563af738adf3226cbb203cf6ebc9212e365b141382ad9e260fc48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95002 6112 bytes
font_18_sfnt_off000961a2.bin
c1e8eec3ee97fe2f5c146df5917548933b7b42862a93d007de2be2c9e71d07fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x961A2 2024 bytes
font_19_sfnt_off00096a0a.bin
02e6b6fadd97842e73028cb941c20aeccc4bb9931f438ecb5e241fffb63d7d1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96A0A 1768 bytes
font_20_sfnt_off000970cc.bin
8b1f973a0080879374887d7b5e04174c3b390b98c63bd4c92f761fc0c8898087		 pdf-font-stream PDF embedded font (sfnt) at offset 0x970CC 1540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.