Malicious PDF — malware analysis report

Static analysis result for SHA-256 74b6dc39fd280c39…

MALICIOUS

PDF

772.4 KB Created: 2009-01-07 13:17:28 -06:00 Authoring application: Adobe Designer 7.0
MD5: 5a9433362353d3a1c0580c27aee949dc SHA-1: 14f31966973bac81da4617e4cb5bec5d39ef7616 SHA-256: 74b6dc39fd280c39b59fbede0a8c4c4b3bcbd1fed60a923940f6fc357ba81d0b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple indicators of malicious intent, including embedded JavaScript and embedded files. The presence of a PDF_JAVASCRIPT heuristic firing, along with PDF_JS and PDF_EMBEDDED_SCRIPT_PAYLOAD, strongly suggests that the embedded JavaScript is designed to execute malicious code. The embedded files could contain further stages of an attack. While the specific family is not identifiable, the overall pattern points to a document-based attack leveraging embedded scripts and files.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0689.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 689 at offset 0xB964F 85 bytes
embedded_file_obj0690.bin
3ee635d11943953963db647b391d74f3f123b7821ae57096fb6404ad99ae7081		 pdf-embedded-file PDF EmbeddedFile object 690 at offset 0xB9702 1613 bytes
embedded_file_obj0691.bin
f638ca97d66f9e6f316c4e588911d2d5e649436528303b08eb62e3e15115547f		 pdf-embedded-file PDF EmbeddedFile object 691 at offset 0xB99F6 186938 bytes
embedded_file_obj0692.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 692 at offset 0xBC73E 212 bytes
embedded_file_obj0693.bin
3d5503672bef35c9d733b5b1e19ab9afc3e876d548c72912f24476b42f229c66		 pdf-embedded-file PDF EmbeddedFile object 693 at offset 0xBC836 3082 bytes
embedded_file_obj0694.bin
f9d7e31d6c4d9e149dfe46151fa0a68334a588db7bebcd3832eaf781e276b834		 pdf-embedded-file PDF EmbeddedFile object 694 at offset 0xBC9CB 724 bytes
embedded_file_obj0695.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 695 at offset 0xBCBAC 85 bytes
javascript_obj0681_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 681 at offset 0xB8EC8 870 bytes
javascript_obj0683_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 683 at offset 0xB904F 2794 bytes
javascript_obj0685_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 685 at offset 0xB9341 1528 bytes
stream_008_off0000e997.bin
33a9203d39b9a0067f2b84037fa691b9ff5476bb9e8795a25b6681abde039463		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE997 350412 bytes
stream_010_off00043d3b.bin
4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x43D3B 308015 bytes
stream_012_off00070b0e.bin
3463cb6a96f307e7e3d7300dfb47d1a354c957c464dadd2539dcb8dc271d2635		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70B0E 293120 bytes
stream_013_off000a46bb.bin
de95b0a27e4e8d79222e706a08612cf0e84d267ab22993aeb46073847f848f1b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA46BB 73483 bytes
font_00_cff_off00002d0c.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x2D0C 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.