Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f01ed6bc85876db…

MALICIOUS

PDF

553.5 KB Created: 2009-07-28 16:23:15 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: ca07d54c979e79de538de8f813216990 SHA-1: 5a97a73d3af8fd23c4354f33eb2784e271321dc7 SHA-256: 7f01ed6bc85876db07c5d856e5e93546515cbd1cd2f80e4befac396e15c38a79
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests obfuscation of the JavaScript content. The SE_CALLBACK_LURE heuristic strongly suggests the document is designed as a lure for a callback phishing or tech-support scam, asking the user to contact a fraudulent entity. The embedded URL from InsiderSoftware.com is of unknown reputation and could be related to the malicious activity.

Heuristics 6

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.InsiderSoftware.com/fontlist/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0171_002.js
e8f8606f8d77779cb4c2c4369a87712575f8d30dd9aded5dbc3366cdb501e3ca		 pdf-javascript-stream PDF /JS object 171 at offset 0x66CCE 44061 bytes
javascript_obj0172_003.js
78b7f89807b0cac37538dfb149b2737b4ce9142486594e4c5be2f5231ca39e56		 pdf-javascript-stream PDF /JS object 172 at offset 0x69493 52 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
icc_00_off0005d91a.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x5D91A 3144 bytes
font_00_sfnt_off00002e70.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E70 46764 bytes
font_01_sfnt_off0000a499.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA499 62160 bytes
font_02_sfnt_off000138ef.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138EF 71216 bytes
font_05_sfnt_off00035e19.bin
8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35E19 11156 bytes
font_06_sfnt_off00037dca.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37DCA 37232 bytes
font_08_sfnt_off0004749c.bin
95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4749C 22628 bytes
font_09_sfnt_off0005354c.bin
6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5354C 32640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.