PDF static analysis report

Static analysis result for SHA-256 705e940e54908ebf…

SUSPICIOUS

PDF

69.4 KB Authoring application: Crystal Reports (via Powered By Crystal) First seen: 2013-09-11
MD5: 35f2b2bf9e0992bfeece62c135e7bcf3 SHA-1: 517daa393590b35d1a6c010ba8f16ff59bdc918b SHA-256: 705e940e54908ebf1471a7fe11a3456f37e3f50fb4f5d41d1d29835b1364e44b
56 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains embedded objects and an XFA form, which are often used to deliver malicious content. The ML classifier flagged this PDF as malicious with a high probability. While the document body is unreadable, the presence of an embedded URL suggests an attempt to download a secondary payload, likely leading to exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7205

Heuristics 4

  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.puremobile.com/help.asp In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://ns.adobe.com/xtd/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://ns.adobe.com/xfdf/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
🗂 Part of campaign: neeviapdf.com 53 samples

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0049.bin pdf-embedded-file PDF EmbeddedFile object 49 at offset 0xD9C5 30237 bytes
SHA-256: 16d95c34f08bc34c050ad18034f517fd79c12740094db075625d68a91b301391
embedded_file_obj0047.bin pdf-embedded-file PDF EmbeddedFile object 47 at offset 0x10C2A 84 bytes
SHA-256: d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777
embedded_file_obj0048.bin pdf-embedded-file PDF EmbeddedFile object 48 at offset 0x10CDC 228 bytes
SHA-256: 24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0
embedded_file_obj0050.bin pdf-embedded-file PDF EmbeddedFile object 50 at offset 0x10DCD 199 bytes
SHA-256: c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460
embedded_file_obj0051.bin pdf-embedded-file PDF EmbeddedFile object 51 at offset 0x10EBE 119 bytes
SHA-256: 846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7
embedded_file_obj0052.bin pdf-embedded-file PDF EmbeddedFile object 52 at offset 0x10F76 77 bytes
SHA-256: e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876
embedded_file_obj0053.bin pdf-embedded-file PDF EmbeddedFile object 53 at offset 0x1101D 56 bytes
SHA-256: 92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a
stream_002_off00000c8e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC8E 34056 bytes
SHA-256: abad6f91eafdb0e083580077f31cb616896fd8ea7751010400f0df402685eed0
font_01_sfnt_off00006aba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABA 7356 bytes
SHA-256: 853c92a07711324fe349cc71a687d8f85e47694f55457cacbc57e35e64b5a104
font_02_sfnt_off000080b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80B8 1800 bytes
SHA-256: 5958bc363aa00a009e09e0666234f8a5d931a04cd1bbc68bb75ac0a5aa2ab9a0
font_03_sfnt_off000086bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86BF 22620 bytes
SHA-256: 18fb8921652f26d28c2d3a3c6297134031d170d198342dee17e22e4e1d735316