Malicious PDF — malware analysis report

Static analysis result for SHA-256 86b9878c88617b9a…

MALICIOUS

PDF

57.5 KB Created: 2017-04-24 12:07:35 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: e5a42f2e94a6b99f286da9767aa9e29c SHA-1: e32e424c3403b3e4d2c7723e200e06978d0d50ea SHA-256: 86b9878c88617b9a4d65e8f3a0c4536f995f1e752a873940947c8cea38331ba4
234 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that is configured to launch an embedded file named '332719.docm' upon opening. This behavior, combined with critical heuristic firings indicating a dropper functionality and ClamAV detection as 'Doc.Downloader.Donoff-10030369-0', strongly suggests the PDF acts as a downloader for a secondary malicious payload. The ML classifier also flagged the PDF with a very high probability of being malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment. (matched in decompressed stream)
  • ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
332719.docm
5cc1809fd1aaf913155f41c280cc808f8c2c5f1b4a21824dbe91091e36a81205		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x61 70288 bytes
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: unlikely
javascript_obj0005_000.js
b3c4f15ff87e9c5c325b586e5039fdf89d8e8594ae15edf25b6a13258c56e363		 pdf-javascript-stream PDF /JS object 5 at offset 0xE03A 446 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.