Malicious PDF — malware analysis report

Static analysis result for SHA-256 76b44a2a23ddc59e…

MALICIOUS

PDF

13.74 MB First seen: 2020-12-25
MD5: d653b2ab02316eee2123c5c72d5aa501 SHA-1: 051df835d0461b39726e22bfff092f5a432318ce SHA-256: 76b44a2a23ddc59eb21a04ad51c3bdea07ad519cd7518de325cd77c1758d60c4
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The PDF contains embedded JavaScript and is encrypted with an OpenAction, indicating an attempt to hide malicious code. The ML classifier strongly suggests maliciousness. The presence of an internal IP address as a URL suggests a potential command and control or download server within a local network. The high stream count and embedded font files point towards obfuscation techniques used to conceal the true nature of the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9802

Heuristics 7

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.192.168 In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_012_off0005ab06.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5AB06 41150 bytes
SHA-256: 1547e36dc78c7d40e9840f5144e42b0254b90b63550e2e96d37c0e597d655600
icc_00_off0005649d.icc pdf-icc-profile PDF ICC profile at offset 0x5649D 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off000857c6.bin pdf-font-stream PDF embedded font (cff) at offset 0x857C6 7195 bytes
SHA-256: 4629b14aa386c6f4577cd6c9cd11d150deb3fa52cd17c44ec9a8cd9c932fb289
font_01_cff_off00086f75.bin pdf-font-stream PDF embedded font (cff) at offset 0x86F75 8069 bytes
SHA-256: 1820eac97238a9fcc9c8b42e8789d1461635b3872fdfdc6302168c7461821a60
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_02_cff_off0093a573.bin pdf-font-stream PDF embedded font (cff) at offset 0x93A573 6837 bytes
SHA-256: cff5ddf8bb1d0724cbbb06059fca630ebb15ffb32eecafc84a732350025475c4
font_03_cff_off0093bc26.bin pdf-font-stream PDF embedded font (cff) at offset 0x93BC26 479 bytes
SHA-256: 71b9ce7c90d4e742af3bdaec5759d798d782784efa94c9a453f9bab87bde4bdd
font_04_cff_off0093be5d.bin pdf-font-stream PDF embedded font (cff) at offset 0x93BE5D 10289 bytes
SHA-256: f269b7fbd4e142378b61443fbea56949f9db3a2c87719720a7401a3a16cdc9e1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_05_cff_off0093e137.bin pdf-font-stream PDF embedded font (cff) at offset 0x93E137 5909 bytes
SHA-256: 2eb555cead63882bc093db1c3399cbf046c56331cb9b41f2d5acf72d87adc53e
font_06_cff_off0093f513.bin pdf-font-stream PDF embedded font (cff) at offset 0x93F513 389 bytes
SHA-256: 36a7af7074bf8005d7a726a7fa5b5d3364a06c50bda7f161f319fa59fb5f81e2
font_07_cff_off009409f6.bin pdf-font-stream PDF embedded font (cff) at offset 0x9409F6 3119 bytes
SHA-256: db01e5e0e1b166efcfb41e24cc947bb84cda78c16891b9dabf6b861b9d6a80cd
font_08_cff_off00941590.bin pdf-font-stream PDF embedded font (cff) at offset 0x941590 1394 bytes
SHA-256: e40061ca4ff01908de0d4876d8a3aa18669111757d320ef394363cbdefade68e
font_09_cff_off00941af1.bin pdf-font-stream PDF embedded font (cff) at offset 0x941AF1 1563 bytes
SHA-256: 9e163ba3a21ba752f32c94a0d70ac05b62acec46c890cdc6fb5892199d57c396
font_10_cff_off009420d5.bin pdf-font-stream PDF embedded font (cff) at offset 0x9420D5 2367 bytes
SHA-256: 4d55fe2ae8337978c2a8bbc91e748232386d0930b0ee101f518a0be0de187acf