Malicious PDF — malware analysis report

Static analysis result for SHA-256 73b0097b6f4bb031…

MALICIOUS

PDF

56.6 KB Created: 2017-06-22 13:05:27 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: fe99fbd2557213f6399731e0b9afb31b SHA-1: 90de1779c88afe73c3eae2685fc6c099118ca3f0 SHA-256: 73b0097b6f4bb031e9a8bdd75ae4559310c9e335d15ea4418c690d8cca5687f3
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The PDF contains embedded JavaScript that calls the exportDataObject function, which is commonly used to launch embedded files. The embedded file is a DOCM document, and ClamAV detected it as a downloader. This suggests the PDF is a dropper for a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7577337-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7577337-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
000862862990.docm
7debcc222bbd978e602a8c696e4b066b62355d55daf7419197fadbe116ac0632		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x9B2 67273 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6329915-0
Obfuscation or payload: unlikely
javascript_obj0004_000.js
ab07efaecbd04bc1193fd319f409ff6cc20dc1554d1eab07b51cd4f906de9d37		 pdf-javascript-stream PDF /JS object 4 at offset 0xDD70 107 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.