Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e1bab2b9de7106e…

MALICIOUS

PDF

119.0 KB Created: 2018-03-28 01:34:47 +03:00
MD5: c0468ee596285cb1686c8c0dfa9973a9 SHA-1: 133966bd2860155ca9eeef6ef7653f1a6afd5fd3 SHA-256: 8e1bab2b9de7106e40807e0eed76d65f8998d3952345709f5a73a1252e1dd626
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier and contains a hidden ZIP payload with a JavaScript file. The JavaScript appears to be designed to exploit vulnerabilities in older versions of Adobe Reader to download and execute a second-stage payload from the URL https://studentbackr.com/blog/MSWORD%20FONT%20V.%20345.000.001.zip. The presence of a hidden executable payload within the PDF stream and a direct link to an archive further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9895

Heuristics 6

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://studentbackr.com/blog/MSWORD%20FONT%20V.%20345.000.001.zip
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
MSWORD_FONT_V._345.000.001.zip
2c3a4c8bd1591714b70408a470c64d51782a0107a929f7ef0842621f13238a08		 pdf-embedded-file PDF EmbeddedFile object 172 at offset 0x1CA70 4006 bytes
javascript_obj0170_000.js
7c6db707bd2406946995e202c5279a067f53c2113f6105a6f6e46f57e9b28c6e		 pdf-javascript-stream PDF /JS object 170 at offset 0x1BDFC 2702 bytes
stream_014_off0000a4be.bin
86092fcfce888c1bfb4b079ccbc023340f75939a88b7f7f3f6d2d9ac3fd02ca5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4BE 79989 bytes
stream_018_off0001783e.bin
b1726568b0f8578a2e9e206a420ed8c8b2788ebef0047f20ed90d35fa9900484		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1783E 136710 bytes
stream_023_off0001bdfc.js
dce784b7753b351d9c2c03576eaa83a1818da2ea52b31a1771538eeb3bb9ef1c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BDFC 1806 bytes
hidden_pdf_zip_off0001ca77.zip
8dda74b0315ca0d5c439c38a68a1ff6763348dea9e7c69158f8184ce405484bc		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x1CA77 4005 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.