Malicious PDF — malware analysis report

Static analysis result for SHA-256 886487b3ae24e6d4…

MALICIOUS

PDF

245.3 KB Created: 2010-08-18 19:24:27 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 0be29522c56d7203627170e9de4d20cf SHA-1: ab8365074c3e4870c9baeba6ef44c69b83a794ef SHA-256: 886487b3ae24e6d4bcc59c1702895b7f86fe3c7637c43a7e142ee477d910900b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that utilizes `unescape()` and `eval()` functions, indicating an attempt to obfuscate and execute malicious code. The presence of these functions, along with a heuristic firing for an embedded script payload, strongly suggests the document is designed to exploit vulnerabilities. The numerous embedded URLs, primarily related to online pharmacies, point towards a phishing or scam-related lure. No specific malware family could be confidently identified.

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelbolten.com/online-pharmacy-effexor-top.html
    • http://michaelbolten.com/aptos-ca-rite-aid-pharmacy-top.html
    • http://michaelbolten.com/canada-pharmacies-restasis-eye-drops-top.html
    • http://www.hollywoodbeachrealestate.org/percocet-online-pharmacy-top.html
    • http://www.blissentertainment.com.au/online-pharmacy-ultram-top.html
    • http://www.blissentertainment.com.au/Hoodia-Patch-Without-Prescription-top.html
    • http://www.hollywoodbeachrealestate.org/rx-america-pharmacy-help-desk-top.html
    • http://www.hollywoodbeachrealestate.org/order-valium-from-safe-online-pharmacy-top.html
    • http://michaelbolten.com/pharmacy-sample-drugs-top.html
    • http://www.hollywoodbeachrealestate.org/loestrin-fe-and-mail-order-pharmacy-top.html
    • http://www.blissentertainment.com.au/usa-online-pharmacies-that-sell-viagra-top.html
    • http://www.blissentertainment.com.au/%244-drugs-food-lion-pharmacy-list-top.html
    • http://michaelbolten.com/Buy-tadalafil-top.html
    • http://www.hollywoodbeachrealestate.org/pharmacy-tablet-identification-top.html
    • http://www.blissentertainment.com.au/no-prescription-drug-pharmacys-online-top.html
    • http://www.hollywoodbeachrealestate.org/Order-Crestor-top.html
    • http://www.hollywoodbeachrealestate.org/find-pharmacy-health-questions-and-answers-top.html
    • http://www.hollywoodbeachrealestate.org/understanding-health-insurance-pharmacy-tiers-top.html
    • http://www.blissentertainment.com.au/Micardis-Online-top.html
    • http://www.hollywoodbeachrealestate.org/u-s-medical-pharmacy-top.html
    • http://www.blissentertainment.com.au/online-pharmacies-that-have-didrex-cheap-top.html
    • http://michaelbolten.com/foreign-online-pharmacies-salazopyrin-top.html
    • http://www.blissentertainment.com.au/Cheap-Keflex-top.html
    • http://www.blissentertainment.com.au/american-pharmacies-that-carry-erfa-thyroid-top.html
    • http://michaelbolten.com/Cephalexin-For-Less-top.html
    • http://www.blissentertainment.com.au/Purchase-Combigan-top.html
    • http://www.hollywoodbeachrealestate.org/why-can%27t-my-pharmacy-get-midrin-top.html
    • http://michaelbolten.com/foreign-pharmacy-no-prescription-reviews-top.html
    • http://www.blissentertainment.com.au/us-pharmacy-zyrtec-zoloft-rxpricebusterscom-top.html
    • http://michaelbolten.com/usa-no-prescription-pharmacy-top.html
    • http://www.hollywoodbeachrealestate.org/medical-pharmacy-willimantic-ct-top.html
    • http://michaelbolten.com/Cheap-Exelon-top.html
    • http://www.hollywoodbeachrealestate.org/all-med-pharmacy-top.html
    • http://michaelbolten.com/aquazide-us-pharmacy-no-prescription-top.html
    • http://michaelbolten.com/tri-mix-gel-compounding-pharmacy-top.html
    • http://michaelbolten.com/progesterone-cream-pharmacy-wisconsin-price-top.html
    • http://michaelbolten.com/Temovate-Cream-Without-Prescription-top.html
    • http://www.blissentertainment.com.au/pharmacy-care-and-nutrition-top.html
    • http://www.blissentertainment.com.au/fox-army-health-center-pharmacy-formulary-top.html
    • http://www.hollywoodbeachrealestate.org/Lopid-Sale-top.html
    • http://www.blissentertainment.com.au/online-pharmacy-diet-pills-top.html
    • http://www.hollywoodbeachrealestate.org/foreign-pharmacies-ritalin-review-top.html
    • http://michaelbolten.com/pharmacy-reversible-prescription-vials-top.html
    • http://www.hollywoodbeachrealestate.org/no-prescription-german-pharmacy-prednisone-top.html
    • http://michaelbolten.com/offshore-pharmacies-vicodin-es-top.html
    • http://www.blissentertainment.com.au/phentermine-us-pharmacies-top.html
    • http://www.blissentertainment.com.au/pharmacy-prescription-assistance-nevada-top.html
    • http://michaelbolten.com/online-pharmacy-phendimetrazine-top.html
    • http://michaelbolten.com/Purchase-Lozol-top.html
    • http://www.hollywoodbeachrealestate.org/hormone-replacement-therapy-pharmacy-top.html
    +30 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000bb23.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBB23 264072 bytes
embedded_pdf_script_0003d474.bin
3f8e40ed174493c4b2d1069ff4d371a2dc001b84ba366b55daef9627a40f4a3d		 pdf-embedded-script PDF decompressed stream script payload at offset 0x3D474 251202 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.