Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bd76f4ff6a36c77…

MALICIOUS

PDF

167.7 KB
MD5: b1d3f9442905898c8f2e1c90fc489d4f SHA-1: b573063c22872d938dd24425b106100de9fdfc16 SHA-256: 8bd76f4ff6a36c77937e68ba59c93d60705dc5806c1bb91194e2230d8577ac31
318 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The sample is a PDF file detected as malicious by ClamAV (Pdf.Exploit.Agent-35955). It contains embedded JavaScript and a Flash object, indicating an exploit attempt. The high-severity heuristics for 'PDF_GENERIC_STAGE_RECOVERY' and 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' suggest the JavaScript is used to download and execute a second-stage payload. The URLs associated with 'code.flashdynamix.com' are unknown and potentially malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7322

Heuristics 10

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://code.flashdynamix.com/AES/aes-decrypt.php
    • http://code.flashdynamix.com/AES/aes-encrypt.php
    • http://adobe.com/AS3/2006/builtin

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
WpuVlEGnF.swf
bf9dea6ff47dfb47c2f51b1fa9a09527dfe5e95399ccb2d043ba956b197360c9		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x234BB 52647 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely
javascript_obj0006_000.js
6a2f28e522fbbecf47a32f3b65f2df84cc1d9034f5e5f075d690dddfa4ae9996		 pdf-javascript-stream PDF /JS object 6 at offset 0x13E 275 bytes
generic_stage_recovery_000.js
bfb2b067dc7ba7659ce90466fa38d524e280d405a1b50d216a0bde119b395f44		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0x234BB at offset 0x234BB 46461 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely
polyglot_child_pdf_off00001225.pdf
077f4676b917729015fd801431c0ffdfa983bc309315d0aa06adb892d6899a57		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1225 167096 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely
polyglot_child_pdf_off0000244a.pdf
4a6308a1cf97767b290f3cbf0c3c262076770e533d45cc7b516edd2853d25d29		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x244A 162451 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely
polyglot_child_pdf_off0000366f.pdf
b311a6310c09458712a231baf3f498c9f29a58ef9bf01644d537059ec830060f		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x366F 157806 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.