Malicious PDF — malware analysis report

Static analysis result for SHA-256 74c5c06b893a268d…

MALICIOUS

PDF

56.5 KB Created: 2011-01-14 00:19:20 +02:00 Authoring application: http://google.wiki.usfca.edu/ (via mPDF 5.0)
MD5: b4f6353cc8639d22274a2c92b0566f98 SHA-1: eecacc107e26da3010921c3d30813299a672f99f SHA-256: 74c5c06b893a268d16555838d5613f2a2b9a6e38a615b2c553076ebe9f156538
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript that utilizes the getURL function to redirect to 'http://searchglobalsite.com/in.cgi?17'. This URL is flagged as unknown, and the ML classifier strongly indicates maliciousness. The presence of JavaScript and the redirection behavior suggest this PDF is designed to lure the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9008

Heuristics 5

  • Obfuscated document JavaScript getURL redirector high PDF_JS_OBFUSCATED_GETURL_REDIRECTOR
    PDF document-level JavaScript automatically calls getURL() on an HTTP(S) destination hidden behind percent escapes. The decoded path is a redirector-style endpoint such as /in.cgi or /go.php. This is malicious routing behavior rather than a PDF parser CVE.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchglobalsite.com/in.cgi?17
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js
a2620a0be21a26956e8296a3c8163c8c260cb6a920586f15a19c6e170ac30940		 pdf-javascript-stream PDF /JS object 38 at offset 0xDA43 136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
stream_004_off00001fdc.bin
dcd1ba64d747e0bf0b9b8ecc270a7bea07ca4cd5917a768cd217f1d51287033b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1FDC 17772 bytes
font_01_sfnt_off00004df7.bin
a8ed3909966b10c026f46212f55dce68c94667ce1ac039797d3ebfa1d644dacf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DF7 17892 bytes
font_02_sfnt_off00007c37.bin
4ee4e439b16220e78b319060a3d86ba95cd4b8614522dd4fa1d4df274793c516		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C37 18720 bytes
font_03_sfnt_off0000aec4.bin
e3eeacc5b1f780160b253f248c40fb29e5cb6416f62dd9413712ea70c37f26c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAEC4 18756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.