Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ac05a389330f51b…

MALICIOUS

PDF

77.5 KB Created: 2011-04-18 15:20:20 +08:00
MD5: b786322286b97e4215bd3ca11352975e SHA-1: 29864439292197987d5cb316b5c7817126a517b1 SHA-256: 8ac05a389330f51b1fd7206a594b761f7fb114e716dd034a0da72fa022c9edc6
112 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF document contains embedded RichMedia (Flash) content that exploits CVE-2011-0611. This exploit is designed to execute arbitrary code, indicated by the presence of shellcode within the SWF object. The document body is unreadable, but the critical heuristic firing confirms the exploit's presence and likely malicious intent. No specific malware family could be identified.

Machine Learning

  • Nyx PDF Classifier clean score 0.0290

Heuristics 5

  • Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0026_00.bin
0841ed6ca2149b386133777ff3868f6222ba5033d6f52cd654a117610818bd40		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.