Malicious PDF — malware analysis report

Static analysis result for SHA-256 758bd92e9358170f…

MALICIOUS

PDF

166.4 KB Created: 2011-11-07 09:06:58 -05:00 Authoring application: Acrobat Distiller 9.4.6 (Macintosh)
MD5: 775645f055808ff4a3409760aad0c197 SHA-1: 14d9634834bc6cce5ab0633366de93224c81bd4c SHA-256: 758bd92e9358170f263e2031e22858e4249905ae56a82c20914cb9a6d405a32e
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains XFA form elements and embedded JavaScript, which are often used to exploit vulnerabilities or trick users. The JavaScript code attempts to display fake update alerts to the user, directing them to 'http://cgi.adobe.com/special/acrobat/update' for a supposed reader update. This is a common lure to prompt users to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9428

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-form/2.6/
    • http://www.iec.ch

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1C68C 85 bytes
embedded_file_obj0014.bin
a1bedfca6a3a7bf979ede45041b0c5e4f4291ad450cee2d61406ad4cf5daaebb		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x287BB 274 bytes
javascript_obj0028_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 28 at offset 0x47DB 1535 bytes
javascript_obj0029_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 29 at offset 0x49C6 870 bytes
javascript_obj0030_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 30 at offset 0x4B20 2798 bytes
embedded_pdf_script_0001cf17.bin
96eb36d3ea87704b54cd5541ea8e75f9097fa2ead0551cd980fdb69cd210ece8		 pdf-embedded-script PDF raw stream script payload at offset 0x1CF17 3181 bytes
icc_00_off00016c37.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x16C37 3144 bytes
font_00_cff_off0001a51a.bin
129dfe796ba3928017402c9503c5b01d59ed9766127ea4e883e63e6fe6cd12bd		 pdf-font-stream PDF embedded font (cff) at offset 0x1A51A 288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.