Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c032ef225281753…

MALICIOUS

PDF

991.8 KB Created: 2010-05-30 12:49:21 +08:00
MD5: 4d6f45715083676cebd1851d0ae91f86 SHA-1: ad0e6e2f0ef9b3b1d58a5d60cbbb46170d5a503c SHA-256: 6c032ef2252817531d01090f3d5490b702d937c3ea49e8a1fb7a78e5100d2155
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and a critical heuristic firing for an embedded Windows executable payload (PsNull3.exe). This indicates the document is designed to exploit vulnerabilities to execute arbitrary code. The embedded JavaScript, though partially obfuscated, appears to interact with PDF features to potentially trigger the payload. The presence of multiple unknown URLs suggests potential command and control or download infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5345

Heuristics 6

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://localhost
    • http://127.0.0.1
    • http://127.0.0.1/messagewrite.asp
    • http://www.iso-gd.com.cn
    • http://www.palmbiz.net
    • http://www.chinabbc.com.cn/lianmeng
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
PsNull3.exe
48727ec792859258f264d74ccd299ceeb2ff0368c42e694d315b1d12553e9f45		 pdf-embedded-file PDF EmbeddedFile object 271 at offset 0xDBEA0 119296 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
javascript_obj0268_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 268 at offset 0xDB51E 1946 bytes
stream_096_off000db51e.js
5c1ab2af46eef55b0d162c3a84464633475df9b138b64aa21a36ffaffbdffa88		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDB51E 1336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.