Malicious PDF — malware analysis report

Static analysis result for SHA-256 81ec61a49b5fcc4e…

MALICIOUS

PDF

9.97 MB
MD5: 3e97bd9b3eaae9abb0617ec4c0941efd SHA-1: ed597775cf6c632d958731a841edcff8c24b61b2 SHA-256: 81ec61a49b5fcc4e696974798b5e0d3582a297e9c6beaf95d56839b514e064f5
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF is encrypted and contains an /OpenAction, indicating that malicious content is hidden from static analysis and likely executed upon opening. Heuristics indicate an advance-fee scam lure and a visual download button, suggesting the document attempts to trick the user into downloading a payload. The presence of JavaScript and numerous streams further supports a malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5568

Heuristics 6

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/joelgrus/data-science-from-scratch
    • https://raw.githubusercontent.com/
    • http://joel.house.com
    • https://api.github.com/users/{github_user}/repos
    • http://oreilly.com
    • http://oreilly.com/catalog/errata.csp?isbn=9781492041139
    • http://bit.ly/data-science-from-scratch-2e
    • http://www.oreilly.com
    • http://facebook.com/oreilly
    • http://twitter.com/oreillymedia
    • http://www.youtube.com/oreillymedia
    • https://www.nytimes.com/
    • https://www.house.gov/representatives
    • https://jayapal.house.gov
    • http://joel.house.gov
    • https://joel.house.gov
    • http://joel.house.gov/
    • https://joel.house.gov/
    • https://joel.house.gov/biography
    • https://developer.twitter.com/
    • http://t.co/HsF9Q0dShP
    • http://t.co/6hcHUz2PHM
    • http://news.cnet.com/2100-1001-202143.html
    • http://money.cnn.com/2000/09/29/markets/techwrap/
    • https://archive.ics.uci.edu/ml/datasets/iris
    • https://archive.ics.uci.edu/ml/machine-learning-databases/iris/iris.data
    • https://spamassassin.apache.org/old/publiccorpus
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000c5a9.bin
22a5d0c4879eeff4bdd5f78415e2a52cd64c379a8a39711df62106e7b562b0a4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC5A9 192734 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.50, consistent with packed or encrypted content.
stream_009_off00046ee4.bin
3c192bf3b680dfb1a05b681fb430492c0ba86219b2d769676727acb41e79b407		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x46EE4 161144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
stream_010_off00065c83.bin
5a0aa410312f0ed567f4a7f1455cadfcaddf93b187426b04e5804ed4ff85fa11		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x65C83 146060 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
stream_034_off0013dbe9.bin
115ea864883423988049bbe336547a9874d872e0e3002dc9930f474a1632069b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13DBE9 1160 bytes
stream_036_off0032b75a.bin
4855b8fabb96bdc6495d45d089bb8c8efb1ae18389e0dc9e75a5f701a9c0b662		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32B75A 557168 bytes
font_01_cff_off0003183e.bin
f52725423462ecafe59c801c44a581ab33b9c606ba7eb9d21453d4b5eaf6ba56		 pdf-font-stream PDF embedded font (cff) at offset 0x3183E 62885 bytes
font_02_cff_off0003c209.bin
6126180eb1bfe08b11f66956f20bfd7b3ff0ebe5616877b731282f70e060cb2f		 pdf-font-stream PDF embedded font (cff) at offset 0x3C209 63981 bytes
font_05_cff_off00081833.bin
937783e48a589fb77121464393a21ad9b539c8b8b9255f94ac0c30fa2a7ce9fc		 pdf-font-stream PDF embedded font (cff) at offset 0x81833 193128 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
font_06_cff_off000b3c1f.bin
10901fc70ef9eedd09a7c7f4ba361b2d80b749f60cd817dfa931a6ef3008b781		 pdf-font-stream PDF embedded font (cff) at offset 0xB3C1F 80297 bytes
font_07_cff_off000c2580.bin
29fe7a6bf39d6b859298ff31f255e4808c97dd9bc0037c8c95388ec100dfa4f2		 pdf-font-stream PDF embedded font (cff) at offset 0xC2580 83604 bytes
font_08_cff_off000d188d.bin
40ea9bd015254416e38a29668d8acd05e1f059c7850eb85aa3c06d27117d2353		 pdf-font-stream PDF embedded font (cff) at offset 0xD188D 78131 bytes
font_09_cff_off0013cba8.bin
5e1335cc92310d260d26a4ae7b1604c5d013214a68d5069c9ce134eeac129e5e		 pdf-font-stream PDF embedded font (cff) at offset 0x13CBA8 2524 bytes
font_10_cff_off0013d53b.bin
0481a80e3235964fe1a63572912b688222cd40b20c9dd7f3db5b598170c2f549		 pdf-font-stream PDF embedded font (cff) at offset 0x13D53B 2004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.