Malicious PDF — malware analysis report

Static analysis result for SHA-256 82ed7f0d7be4b30b…

MALICIOUS

PDF

30.9 KB
MD5: 2398da485bc0a98337a702130bf14744 SHA-1: 11633f6568422f6447bc3f776ccf7df9730f280e SHA-256: 82ed7f0d7be4b30b1eddd7e2dab6fc67342290d00c302a0c9acb89565cfc3fa3
118 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and an embedded OOXML document (dew008.docx) which is related to CVE-2017-8759. The embedded OOXML document is hosted at the URL https://share.dmca.gripe/tlP7pbv6wejGcB9t.doc. The JavaScript actions and embedded file suggest the PDF is designed to trick the user into opening the OOXML document, which likely contains further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • OOXML OLE2Link remote document — CVE-2017-8759 related high CVE related CVE_2017_8759_RELATED
    PDF auto-exports an embedded OOXML document containing an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
dew008.docx
d67fe00d0ae3ac32a518d10985ed934303d181f9db625dbfbe8d47c03c3f16e2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x388 10131 bytes
javascript_obj0009_000.js
dd72e64c1024abb426436874c8a576e48eb9432e9fb3297dcc868997ddc9689f		 pdf-javascript-stream PDF /JS object 9 at offset 0x79EB 60 bytes
javascript_obj0009_001.js
7c9f2ac53b56d618ee015cb254ccbddf54994f4bae81c66c67ea92aa08a89062		 pdf-javascript-stream PDF /JS object 9 at offset 0x79EB 58 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.