Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ee83c03dfeb6d20…

MALICIOUS

PDF

204.5 KB Created: 2011-05-11 16:03:06 +08:00 Authoring application: Acrobat PDFMaker 9.1 Word 版 (via Adobe PDF Library 9.0)
MD5: f26b151f5baf03c709f0e0153361680d SHA-1: a47eab7d8bdf08e76393762d54eb1afdaa66fd44 SHA-256: 6ee83c03dfeb6d20b1b9533846417d1430f8d1be7e7c2cc40b29309c5a702da6
216 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript and a RichMedia (Flash) object that exploits CVE-2011-0611. The embedded JavaScript and Flash content are designed to execute a malicious payload, likely a second-stage exploit or downloader. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 8

  • Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://www.iec.ch

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
SkinOverPlay.swf
59d1843c79e347826e19d6e0062a0d05953ae67af013a3b9265ccca4f425aa1f		 pdf-embedded-file PDF EmbeddedFile object 39 at offset 0x9313 2925 bytes
javascript_obj0017_000.js
521d9713bb0fe35424ed8a826bfeda40ccc6304f5b534f4f31756ec0a6d6bac8		 pdf-javascript-stream PDF /JS object 17 at offset 0x5B5A 280 bytes
javascript_obj0153_001.js
274c4824f360a8b8dad5d02255d763a5840bf8145399838b59e2369614b5a7de		 pdf-javascript-stream PDF /JS object 153 at offset 0x2ABE 6334 bytes
generic_stage_recovery_000.js
abbff0d2f5c56e24e042ce35d6a7d8dcfbe3970e8d9b101cfc47c83962c61ac7		 deobfuscated-js generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x5B5A 6114 bytes
generic_stage_recovery_001.js
61a482628ec06b7e30eaa45da825dd09454e65abf235d1093138ab48579db2a6		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 153 at offset 0x2ABE 5833 bytes
icc_00_off000029a5.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x29A5 408 bytes
icc_01_off00005f81.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x5F81 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.