Malicious PDF — malware analysis report

Static analysis result for SHA-256 891b1c0e95eb20fd…

MALICIOUS

PDF

1.02 MB Created: 2014-06-22 11:39:00 Authoring application: LaTeX with hyperref package + hypdvips (via dvips + GPL Ghostscript 9.06)
MD5: 1e8daf92240856ac91176519476dd0bb SHA-1: d6f6fda17dfd1d178c018f361ff0ebcc7456c0ba SHA-256: 891b1c0e95eb20fd2fcbb26fc523cbc8da160d9c82bab745222a5ffd21b3a427
214 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1059.005 Command and Scripting Interpreter: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1140 Deobfuscate/Decode Files or Information

This PDF file contains embedded JavaScript and is configured with an OpenAction trigger, indicating an attempt to automatically execute code upon opening. Critical heuristics identify a hidden ZIP payload within a PDF stream, containing an executable named 'md5sums.exe'. This suggests the PDF is a dropper designed to unpack and execute a secondary malicious payload. The presence of multiple embedded JavaScript streams and a ZIP archive containing an executable points towards a multi-stage attack. The benign URLs extracted do not detract from the malicious nature indicated by the embedded artifacts and heuristics.

Heuristics 10

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction — code runs automatically when opened
  • Remote GoTo action medium PDF_GOTO_REMOTE
    PDF references a remote or embedded document via GoToR/GoToE with an extension-less or unresolved target
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf
    • http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/release-notes-acrobatxsdk.pdf#page=2
    • http://www.iana.org/assignments/media-types/
    • http://tools.ietf.org/html/rfc2046
    • http://www.ctan.org/tex-archive/macros/latex/contrib/xcolor/xcolor.pdf
    • http://www.ctan.org/tex-archive/macros/latex/contrib/oberdiek/bookmark.pdf
    • http://tools.ietf.org/html/rfc1321
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0033.bin
284a79d148400d9cd2a423211d1103b5cef0fb9256a4cbe6d7ebe5197c3149dd		 pdf-embedded-file PDF EmbeddedFile object 33 at offset 0x3F009 35222 bytes
embedded_file_obj0035.bin
7ac4096b9263e11a704f06892638258ac1ddc0394dd75ffdc171e7b5ba0123e0		 pdf-embedded-file PDF EmbeddedFile object 35 at offset 0x41B98 105854 bytes
embedded_file_obj0146.bin
1c1ec44780169fed0202a92c219bc062fc0286fae4b4edd63cbbf7bfcf672987		 pdf-embedded-file PDF EmbeddedFile object 146 at offset 0x494D6 28761 bytes
embedded_file_obj0197.bin
c5e7dc5eae36594d16074217d44f0eeadfd3e6071b01fdf03d92578fbb217851		 pdf-embedded-file PDF EmbeddedFile object 197 at offset 0x506F0 1716 bytes
embedded_file_obj0231.bin
b010d640c09c894f6a365ea728a3035aadfdca91bcf890dacaa234501af60cbe		 pdf-embedded-file PDF EmbeddedFile object 231 at offset 0x50B6D 53806 bytes
javascript_obj0001_000.js
a8b4855f1c718c68f6494d850d542168d7a75f4d42067e38f810aa2beed45f10		 pdf-javascript-stream PDF /JS object 1 at offset 0x15795 1761 bytes
javascript_obj0095_001.js
755fba24206aa27cbd02d69fc7a89486d38697fd2e31dfa013e3cd98642cb555		 pdf-javascript-stream PDF /JS object 95 at offset 0x1847D 740 bytes
javascript_obj0097_002.js
c96f14833646e0db55e42643e004c3a82900fcff82048b8ec1ef9d6d9d18ad5b		 pdf-javascript-stream PDF /JS object 97 at offset 0x188EB 62 bytes
javascript_obj0098_003.js
f3a86607eeb9afa49ece1cec20178aac505f020c6548c31cdf25f6d16df13493		 pdf-javascript-stream PDF /JS object 98 at offset 0x189E4 62 bytes
javascript_obj0099_004.js
336fc05ee66c80600c56757838d2493c32572fa1d081cf8eef721168066febb3		 pdf-javascript-stream PDF /JS object 99 at offset 0x18ADD 740 bytes
javascript_obj0101_005.js
ab093fa9db989e501e52b199210d9229fa2eb61a5628daffc55521d5fb96ae30		 pdf-javascript-stream PDF /JS object 101 at offset 0x18F4C 62 bytes
javascript_obj0102_006.js
dcbf1f0030904f24d63d591426194760ca2cec25f71004fb79a67340068d999b		 pdf-javascript-stream PDF /JS object 102 at offset 0x19046 62 bytes
javascript_obj0103_007.js
6805c51125a929df043606add496f5809f7252e245ead248473a029c716a0520		 pdf-javascript-stream PDF /JS object 103 at offset 0x19140 911 bytes
javascript_obj0106_008.js
a7cc90dcdf3b8563e24dd12cc98d746dea147be69cb99530810e62bdb5f9ba26		 pdf-javascript-stream PDF /JS object 106 at offset 0x19709 740 bytes
javascript_obj0108_009.js
11baa496068eb8b4c937b5f61b6bbed33a93c9500e9618e86ee31d7000028484		 pdf-javascript-stream PDF /JS object 108 at offset 0x19B79 62 bytes
javascript_obj0109_010.js
eb90683da5b6a04e69b7d844069afdbec36f7407bbb01cde84840cc297a4e5a0		 pdf-javascript-stream PDF /JS object 109 at offset 0x19C73 62 bytes
javascript_obj0110_011.js
f07c19772ebf33c3479921c8e5c29b155effb5f28b1ec26247319cc13ea5af40		 pdf-javascript-stream PDF /JS object 110 at offset 0x19D6D 911 bytes
stream_023_off00023324.bin
8a486321e11b4ac8b3272be17c2c6023cfbb3de87268056b146f24d3f54230ae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23324 25064 bytes
stream_026_off0002b289.bin
63c5dc672156f7e17ad8cccf7c1f095c5c155b93f62340ec56dd79478f31277f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B289 38684 bytes
stream_031_off0003a0c9.bin
eea58130b9bdf54bdeeee9694ec11853d134438537aba5dfa389db31e14984ad		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3A0C9 20452 bytes
hidden_pdf_zip_off000494dd.zip
899d850b5b8a867cdf2e97df1f3d4440de8f2980acbdcc78091d80816774395c		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x494DD 28699 bytes
font_01_sfnt_off00026912.bin
fa9a4116b8e75207efb5e05d76692e8ff4d6f0bd76038eb7096dd0d5ad4ffc04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26912 19376 bytes
font_02_sfnt_off00029836.bin
b57cd77a850bbe2bec59a68c5407fc94924982eeb8c8f5dd40dcf59c674edb32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29836 21248 bytes
font_04_sfnt_off00030839.bin
a460b270a3477e66c2c450bf58dc8e1958a483d9777e6740c12e9ec0e9c40d46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30839 16484 bytes
font_05_sfnt_off00032944.bin
1ce03d999b0e0074d19ef3d4431730ee61d5a539377d8b646ec709b5ff85e4d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32944 40564 bytes
font_06_sfnt_off00036a2a.bin
7b2de31dd2513c7f0243f559c7d756e1c1b10094505720fb097849f288e69d8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36A2A 16576 bytes
font_07_cff_off00039199.bin
7401a05ab9fa40d1d4a261af90bc127b6663b70965d0084fe2fe5578ecf0a7b8		 pdf-font-stream PDF embedded font (cff) at offset 0x39199 4638 bytes
embedded_file_obj0155.bin
ba9fef859258330e25dcba441173d62b25de53af6b9510f381e14d0e58cec3dc		 pdf-embedded-file PDF EmbeddedFile object 155 at offset 0xB7E0D 352840 bytes
embedded_file_obj0260.bin
9fbd026727338cbb9b49b0595937baa56f233a263fb288621d13734691c9a9e0		 pdf-embedded-file PDF EmbeddedFile object 260 at offset 0xFF7FD 53797 bytes
javascript_obj0104_008.js
7df02488e1d144d3d1533af1f1756e0932b8029fc8aeb42bb29959ba6223408b		 pdf-javascript-stream PDF /JS object 104 at offset 0x1E9D7 911 bytes
javascript_obj0107_009.js
5a28b3143dc6fec2e92554a01734f032ae4c42ccad58f63a735a03a3a2ee7d7c		 pdf-javascript-stream PDF /JS object 107 at offset 0x1EFA0 740 bytes
javascript_obj0109_010_1.js
4e6bb9344fc10745c10e51c1920daf6061f5b8ef97d014b2b92710f6037232ad		 pdf-javascript-stream PDF /JS object 109 at offset 0x1F410 62 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.