PDF malware analysis — malicious · 71f10e28f10c2f14

MALICIOUS

PDF

237.3 KB Created: 2011-11-18 13:58:58 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 68b7de1b433314b714bf89143527ed7a SHA-1: a152113d07ebbd1e1707696604e4a872bcc72b36 SHA-256: 71f10e28f10c2f14b579caaf50817c9ab5396fbade127ed3873534a0f0905f5a

92 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a hidden iframe, indicating an attempt to exploit vulnerabilities for code execution. The embedded script is likely designed to download and execute a secondary payload, as suggested by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9230

Heuristics 3

PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.ndtv.com/video/live/channel/ndtv24x7 In PDF document text
- http://ibnlive.in.com/livetv/In PDF document text
- http://vaartaahaa.blogspot.com/2011/05/assembly-election-results-2011-live.htmlIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

stream_003_off0000c003.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC003 264072 bytes

embedded_pdf_script_0003b1c3.bin
3c4df3716c4f5c81642ba716ee7366ff23c58a850b918739b22d8cd9a02ae64a pdf-embedded-script PDF decompressed stream script payload at offset 0x3B1C3 243026 bytes

Filename	Kind	Source	Size
`stream_003_off0000c003.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC003	264072 bytes
`embedded_pdf_script_0003b1c3.bin` `3c4df3716c4f5c81642ba716ee7366ff23c58a850b918739b22d8cd9a02ae64a`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x3B1C3	243026 bytes
Preview script First 1,000 lines of the extracted script %PDF-1.5 3 0 obj <</Type /Page /Parent 1 0 R /Resources 2 0 R /Contents 4 0 R>> endobj 4 0 obj <</Filter /FlateDecode /Length 1546>> stream x��X[S�H �g �y�)��!�92N� ���>DAe a P� �O��$� �T ��\�s�t��{IJ+��vL��~�ӀZ� ��4��σ�_��vO�� /J� �� M�j�k� Ս�� Ex��w��j�fj�YR��U�� s ��5K��7 ��~��C �� %�� ^ �}�Emz�$ ��x�� B� � �q5\h ��q�}J�)�� ^Әԥ�� <c�p J� �%F>�� .� �.V1�@E E �:�� +�� oSy� u�J �x��pgΟ��9v ��_12��\F f� �r5��<��♃ r i�o_0 �ڭz >sћ�� o r�g�n,ԙ�p� ��.�a�U�V��Y �q�g[� ��/rj��@�u��GI�v��ێ�01� yu� k��\|s��0>�=�oQR[�� ߱��;0H��w- f7�k �3 ��'�}\�_�@�� v x gg3�e+��~\|�ޕX}"�tC��sL 1" n��#p�� w��n @ʎ\��ߩ = �� ^ ӡoQ�f2 I�LŶ# Y��S���\7�W�n�2�s�HR�=��F�Y��[k Kr$Gy ] � ��p?� =#� �d} tV2z ��s�=7��ڬY�^.�h/=3z�@t �"� �R�Z=ȳ��{ ��B}$��s] � ��"]5Kкc�� 8:�8r�KA�9�Y C��.V�o�Ȳ�{�Q�� ̋ � �ѱ UL� :�1R��}R�� ,��^ %K\?Ցj�Z�副-!� �lݖx g� � Z e��T�l��B��T�=�$��+� �tZ��D�J�b�9�� Gc��ؿ t��c��.��Snp��GR)t%� �c�3Q�=G� ��fQeW:2 �`ע��1��;]: b[�� 䨶�~Ӊ�է�K5D��%0HP4:@��\|3�T� ��,� A�EQF��S�<_`� �ˎb �� u��Qf �H� �� %˂n^P6��\ s.M W�qccDv�dW�fF�\|��C,� �5 \@�S��{5�n )��9l� :U��AQp Ţ��b��r� `;vX�m�Jp � ڕ��sh��C �wW�tY �� s mO�~ � �5 �}�� _I}} ʹȮ��\�c��N8��hs�@Ls&'�ͨ�ҽ� �F�b��\�Hb�?cC77�] �F�� ~� �.8T�k!Q��I>_��>T=��XaP�=az��3�X�\O��^ {$pvXʮ�}�8�� o�f��6�̓e#�ǉ;�\� ��7 � ^��d�$U7��p��Dp�L��z `�K�� Z�0禱i��M �l o>��f\��Ki�Z1� %�kϕ�]�!ĉd�� [� � �� ��Ҷ\|D��Xqo�y k ��Tԡ� ��3 g� ��ڇ:G�$��v��Q ��hW�K9Ќ��[��7%}# ��xt�. ǋD��MF�� X=�� L{Ǘ˨͟O� ��[�! {�"��Gh{Q�,A쏝�<� ͬ(� endstream endobj 5 0 obj <</Type /Page /Parent 1 0 R /Resources 2 0 R /Contents 6 0 R>> endobj 6 0 obj <</Filter /FlateDecode /Length 722>> stream x��Uے�@ �g�� j �IB�}su�j] !�e�> A� ��]��S=Ӊ0 7�V��̜>}�{F�U�SQ�?; �_��k�y�}�� #q �� `� ��V�ǉ�(?�lʟ�PN;\3Zф � ��JZ҆� e�䑏�i�� aNiF��9�� ~W9��{6�$ �� G � ^q i �� x�ލe��(T:�c �%݃㚦b� r�- �~�B�E�� \| � - "]@� ޗ �� t2��f �=��:@@^�� L� ��7�{ ��V W a��&��LX��,��\|Uu ��]�U%\�t t�H�K5�U ��T��@[�= �#��ڟ`�� V#� � ƑJ} � e�� T�ԡ�I_܁� � � ��H� �L��~�L�m�P1��f�� kbf��.�"C:7�[40�^K 10� <��m�hM��5 ��Fc��<�R�&k � ⿔�� g�_�ފ��k ) Ӿg�P�Z�:.STKɦY��3�sܳ� [݆�'� �� u2qM,� �i# �q�b��X6,cٱT��8�keZ66�9< �gE ��̎�� ~��6�� o�I�b�B- H�`Ω�� ԫ�Ƽ �T�� c�y �)8�@��H�xGx6O��_'V�qJ� ��JX��ӡVI�m�� ɉ 0HT ��4��-�8 C <� �i�}�ڇ��7G��# endstream endobj 1 0 obj <</Type /Pages /Kids [3 0 R 5 0 R ] /Count 2 /MediaBox [0 0 595.28 841.89] >> endobj 7 0 obj <</Length 46328 /Filter /FlateDecode /Length1 91432 >> stream x�� \|[E�/>s��,�r�l�w[�e˖{�=�c�wR!� ! 0, `��R�M�!t�t �� )!� K�M��3�ږ� �� E�,͝�{��9sΙ��PB�?��deMeUudU� 5'Q�jZ[:��{�� C��tM� ގ�ߴtd��~yS(!EW�{��e�W�� O��/ Q �]��Bb�� )�e�Z8��;�2 �� .={�� } y��E�g�{�o �#�r!��-B�.]�#�?��q��^� U�� y銹�?Z v �ٳ0\��W��"' -`�Y��^6�o��؋�O �Y�r�Y�G.�L%�� }N vܙ�� }��?��{:H(��^FDz��6��;�;D � ��7���PU�� �ʂ�> ��"Y�� Ս��o��I oA� v��3=c��ˉ�� CC��H� � u�Q��}�I �$K�zr ��A R?�K��jz�0O�Q � �JM�� &]- ŧ��DO�pG�� )�>!N�'R$=A6�n3� �� F� ��>W��~�y }v�ϋ��"��H�J�� {��x =�E @� �-�� 0z� z�/ " �U��Ԁ�v�#�%}K��cd�t��J'H x�/��}?zߏ� ��8�{�q � �{��V �� Z @�gx�ǉ c -Z ��_h�8Z=�V��V MpH ��@�"Z� N��p�Z\y W�ŕ�� B�C�� !�$�$�$�$��B�FJI:^ ��E\$ �6\|��& �"�5\ɂL H ޫ�55��Ԓ RG�I=^ ��4�4 G3ڴ�s+� m�G;F�@�N�.\|��i�ԃ�}��t� H� y��:�3� ~��H��%) �"��W�- �fh @�'� \| E5 Q (f�r�YFV �'stN� �.��Ց ��CA1�� 2�K� �r`X ^,�(�@� $v � �J? M �4 � �T �t�� 4M�K C� ( ��C.�n ��&�fX�AS9�R �� 2�9�� $ ) '�� I1�R 4 �K C. U PU � �� h�� 4�ģD 4=@S�Ȧ h�� A�K1 9 D.�% ��� \ ��V@.Y@U �d)�z86 �0 � ��(5�� ԡw=�4�j#J �4�S >��jG� \�ħ.ޫ #�+�J �< K��2�� z�� N t�@� t �lE�^�ޝNV�,'6 ^ �B.#Y � �� 8 ��T� P� �� ~7�"�� P� ��qo��i��BM� UŠ�h U.H�q� �j�j��Z�ހ�K�� T�@��S� @؉~��n\�y�(. ��X ��bE��@q (� �� $R�+,�է�i>��'�Ҡ �\| � CP)=��j�� 1R��S� �A)�p'�g7�N'I��I�Ŀ��K_�Ǥ �_@�_��wcֱ@�� T�� e )TT��rP�0 ]�^�m[ �Zy VAWK��f�V�� X)�ւϭ�҆�� W;Q߅�LçAv=��]�� oˠ�U�o �� v��.��o �� $��\GS } H�� ... (truncated)

Preview script

First 1,000 lines of the extracted script

%PDF-1.5
3 0 obj
<</Type /Page
/Parent 1 0 R
/Resources 2 0 R
/Contents 4 0 R>>
endobj
4 0 obj
<</Filter /FlateDecode /Length 1546>>
stream
x��X[S�H �g �y�)���!�92N� �*����>DAe a P� �O���$� �T
���\�s�t��{IJ+��vL���~�ӀZ�  ���4��σ�_���vO�� /J� �� �����M�j�k� Ս�� Ex��w��j�fj�YR��U��� s ��5K���7
���~��C
���� ��%�� �^ �}�Emz�$	���x��  � �B� � �q5\h ��q�}J�)����   ^Әԥ���� �<c�p
J� �%F>�� �	.�
�.V1�@E E �:����
�+�� � oSy� u�J �x����pgΟ���9v ��_12��\F f� �r5��<��♃ r i�o_0 �ڭz >sћ��� ���o r�g�n,ԙ�p�
 ��.�a�U�V���Y �q�g[� �������/rj����@�u��GI�v����ێ�01� yu� k��|s����0>�=�oQR[��  ߱��;0H���w-
f7�k	�3 ����'�*}\�_�@��  v x gg3�e+���~|�ޕX}"�tC���sL
1" n��#p���� �w��n @ʎ\��ߩ = ����� �^ ӡoQ�f2 I�LŶ# Y��S�*���\7�W�n�2�s�HR�=��F�Y���[k Kr$Gy  ] � ��p?� =#�  �d} tV2z *����s�=7��ڬY�^.�h/=3z�@t �"� �R�Z=ȳ��{ ��B}$��s] �	��"]5Kкc���� � ��8:�8r�KA�9�Y	
C����.V�o�Ȳ�{*�Q��
�̋ � �ѱ  UL� :�1R���}R�� � ,���^ %K\?Ցj�Z�副-!� �lݖx g� �  Z e��T�l��B���T�=�$���+� �tZ��D�J�b�9��� Gc��ؿ t���c��.���Snp��GR)t%� �c�3Q�=G� ���f*QeW:2 �`ע��1�����;]: b[�� 䨶�~Ӊ�է�K5D��%0*HP4:@��|3�T� ���,�	A�EQF����S�<_`� �ˎb �� u����Qf �H� ��� �%˂n^P6��\ s.M W�qccDv�dW�fF�|��C,� �5 \@�S������{5�n )��9l� :U���AQp  Ţ��b��r� `*;vX�m�Jp � ڕ��sh��C   �*wW�tY �� s mO�~ � �5 �}��   
�_I}} ʹȮ��\�c��N8���hs�@Ls&'�ͨ�ҽ� �F�b�����������\�Hb�?cC77�] �F���  ~� �.8T�k!Q��I>_��>T=��XaP�=az��3�X�\O���^ {$pvXʮ�}�8�� �o�f��6�̓e#�ǉ;�\� ��7 � ^���d�$U7��p��Dp�L��z `�K��  ���Z�0禱i��M �l o>��f\��Ki�Z1� %�kϕ�]�!ĉd�� [� � �*� ��Ҷ|D�����Xqo�y k ��Tԡ� ��3  g�
��ڇ:G�$��v��Q ��hW�K9Ќ��[��7%}# ����xt�. ǋD��MF��� X=���� L{Ǘ˨͟O� ����[�! {�"���Gh{Q�,A쏝�<� ͬ(�
endstream
endobj
5 0 obj
<</Type /Page
/Parent 1 0 R
/Resources 2 0 R
/Contents 6 0 R>>
endobj
6 0 obj
<</Filter /FlateDecode /Length 722>>
stream
x��Uے�@ �g�� �j �IB�}su�j] !�e�> A�
��]���S=Ӊ0 7�V*��̜>}�{F�U�SQ�?;  �_��k�y�}�� #q ���� ���  �`� ��V�ǉ�(?�lʟ�PN;\3Zф
� ����JZ҆� e�䑏�i�� �aNiF��9�� ~W9��{6�$ ���� �G �
 ^q i  �� ���x�ލe����(T:�c 
�%݃㚦b� r�- �~�B�E��
��| �	- "]@� ޗ
����� t2��f �=���:@@^�� �L� ��7�{ ���V W a��&���LX��,��|Uu  ��]�U%\�t t�H�K5�U ��T���@[�= �#���ڟ`��� V#� � ƑJ} � e�� � �  � T�ԡ�I_܁�  � � 	���H�   �L��~�L�m�P1��f��� �kbf��.�"C:7�[40�^K 10� <���m�hM��5 ��Fc��<�R�&k � ⿔���� �g�_�ފ����k ) Ӿg�P�Z�:.STKɦY���3�sܳ� [݆�'�
���� u2qM,�
�i#  �q�b���X6,cٱT���8�keZ66�9< �gE ��̎���� ~��6��� �o�I�b�B- H�`Ω�� ԫ�Ƽ �T��
�c�y �)8�@���H�xGx6O��_'V�qJ�  ���JX����ӡVI�m�� ɉ 0HT   ��4��-�8 C <� �i�}�ڇ���7G��#
endstream
endobj
1 0 obj
<</Type /Pages
/Kids [3 0 R 5 0 R ]
/Count 2
/MediaBox [0 0 595.28 841.89]
>>
endobj
7 0 obj
<</Length 46328
/Filter /FlateDecode
/Length1 91432
>>
stream
x�� |[E�/>s���,�r�l�w[�e˖{�=�c�wR!�  !
0,	`��R�M�!t�t  �� �)!� K�M���3�ږ� ����� ��E�,͝�{��9sΙ��PB�?���deMeUudU� 5'Q�jZ[:��{�� �C���������tM� ގ�ߴtd��~yS(!EW�{��e�W�� O��/	Q �]��Bb��	)�e�Z8�����;�2 �� .={���� �} y��E�g�{�o �#�r!��-B�.]�#�?��q���^� U����  �y銹�?Z v �ٳ0\���W��"' -`�Y��^6�o��؋�O �Y�r�Y�G.�L%�� �}N vܙ�� � �}����?��{:H(��^FDz��6��;�;D � ���7����*�PU�*� *�ʂ�*> ����"Y�� �Ս��o����I oA� v��3=c��ˉ��� CC��H� � u�Q��}�I �$K�zr ���A R?�K��jz�0O�Q � �JM�� �&]- ŧ���������DO�pG�� )�>!N�'R$=A6�n3� ����� F� ����>W��~�y }v�ϋ��"��H�J��� �{������x =�E
@� �-���  �����0z�
z�/ " �U���Ԁ�v�#�%}K��cd�t��J'H x�/�����}?zߏ� ��8�{�q 
� �{��V �� Z @�gx�ǉ c  -Z ��_h�8Z=�V��V   MpH  ��@�"Z� N����p�Z\y W�ŕ��� � B�C�� �!�$�$�$�$���B�FJI:^ ����E\$ �6|���& �"�5\ɂL H ޫ�55��Ԓ RG�I=^
��4�4 G3ڴ�s+� m�G;F�@�N�.|���i�ԃ�}��t� H� y���:�3� ~���H������%) �"���W�- �fh @�'� | E5 Q (f�r�YFV	�'stN�* �.���Ց ���CA1�� �2�K� �r`X
^,�(�@�	$v � �J? M �4 � �T �t�� 4M�K   C*� (
���C.�n ��&�fX�AS9�R ����   �2�9��	$  )  '�� I1�R 4 �K   C. U PU � ���� h��� 4�ģD 4=@S�Ȧ	h��� �A�K1 9 D.�% �*�� �\
�*�V@.Y@U �d)�z86 �0 � ��(5�� �ԡw=�4�j#J �4�S >����jG� \�ħ.ޫ #�+�J �< K��2�� �z�� ���N t�@�
t  �lE�^�ޝNV�,'6 ^ �B.#Y � �� ���8 ���T� P� �� ~7�"��� P� ��qo��i��*BM� UŠ�h
U.H�q�
�j�j��Z�ހ�K��
T�@��S�   @؉~��n\�y�(. ���X ����bE��@q (� ���� ��$R�+,�է�i>��'�Ҡ �| � CP)=���j�� �1R����S� �A)�p'�g7�N'I��I�Ŀ��K_�Ǥ �_@�_����wcֱ@�� T��� e  )TT��rP�0 ]�^�m[ �Zy VAWK��f�V�� �X)�ւϭ�҆�� � W;Q߅�LçAv=���]��� � oˠ�U�o �� �v��.����o
��
$����\GS  } H���
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.