Malicious PDF — malware analysis report

Static analysis result for SHA-256 9147304addef223e…

MALICIOUS

PDF

3.44 MB Created: 2008-08-19 07:53:06 +00:00 Authoring application: dvipdfmx (via DVIPDFMx (20031116), Copyright 251 2002 by Jin-Hwan Cho and Shunsaku Hirata, Copyright 251 1998, 1999 by Mark A. Wicks)
MD5: e6bdeacd2feef063f22b0efbc42f6179 SHA-1: 53cbc03540cb7c54d89f4dd71074e9f423d3a4c6 SHA-256: 9147304addef223e7f0c15710b78d3b9a6c28a386ece2cff27aec4d6fbe6cd16
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript and triggers a high-severity heuristic for visible LOLBin command execution instructions, indicating an attempt to run external code. The presence of JavaScript streams and the 'SE_LOLBIN_RUN_COMMAND' heuristic strongly suggest the document is designed to exploit vulnerabilities and download further malicious content. The embedded URLs, particularly 'http://www.opencontent.org/openpub/', are potential indicators of the distribution or command-and-control infrastructure.

Heuristics 9

  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.opencontent.org/openpub/
    • http://www.opencontent.org/opl.shtml
    • http://web.efrei.fr/aiefrei/effervescence/123/vim.en.html
    • http://groups.yahoo.com/group/vimannounce/message/159
    • http://vimdoc.sf.net
    • http://www.vim.org
    • http://vim.sf.net
    • http://www.vim.org/binaries.html
    • http://www.vim.org/iccf/click1.html
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj6357_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 6357 at offset 0x2C885C 1946 bytes
font_00_type1_off0019defa.bin
ac60ebe560aaaec3286442cfbf0f7ff29b054e7089c8037e1e3d2c1e66d56da4		 pdf-font-stream PDF embedded font (type1) at offset 0x19DEFA 18019 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.81, consistent with packed or encrypted content.
font_01_type1_off001a2036.bin
ad58fe7caa4133662fffe05b40e6d743566e2bc4a10338481b2eddbc3db00399		 pdf-font-stream PDF embedded font (type1) at offset 0x1A2036 2602 bytes
font_02_type1_off001a2893.bin
772bae182cdcc332e09549da36e70a9e5ea9d97bbe732f63422a4b743e25beed		 pdf-font-stream PDF embedded font (type1) at offset 0x1A2893 4472 bytes
font_03_type1_off001a3813.bin
d0b914e6815691094d09b2590e25884d5e320f2b96cdfe339edfd5c0af743be7		 pdf-font-stream PDF embedded font (type1) at offset 0x1A3813 3353 bytes
font_04_type1_off001a4361.bin
61bddc1324fa019ded9b9beef5fbe7c98c0527ac439711863b9ee665fbf7681c		 pdf-font-stream PDF embedded font (type1) at offset 0x1A4361 18557 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.82, consistent with packed or encrypted content.
font_05_type1_off001a86bf.bin
fdaef089551799c5d5c4fd239b76b242847ef39b6585b2bdc06505aec483d03e		 pdf-font-stream PDF embedded font (type1) at offset 0x1A86BF 2513 bytes
font_06_type1_off001a8ef4.bin
5bf3e1d24c419ba6c9ec4865cc2e4ec27e20a2c84eae71b644e3b514cd34a3d6		 pdf-font-stream PDF embedded font (type1) at offset 0x1A8EF4 3373 bytes
font_07_type1_off001a9a16.bin
4a6b1329d9ef50f8d536bbf59905987b5a7f97aa391e79584756be358b7ba8b8		 pdf-font-stream PDF embedded font (type1) at offset 0x1A9A16 3020 bytes
font_08_type1_off001aa434.bin
bee0f9b716231b82a41ea0364a010f9a4b421e9af6711ced51caa08b1194fba0		 pdf-font-stream PDF embedded font (type1) at offset 0x1AA434 2729 bytes
font_09_type1_off001aad33.bin
6af4d8554d38f55870fea01a4b4df30c655916f61b2d6240e40f2e48e71fb024		 pdf-font-stream PDF embedded font (type1) at offset 0x1AAD33 2727 bytes
font_10_type1_off001ab62e.bin
7c63829e7ca49dbe355f55116e1bea876f08f4fe00deafd38ffd8c58cdd202d8		 pdf-font-stream PDF embedded font (type1) at offset 0x1AB62E 4574 bytes
font_11_type1_off001ac65b.bin
60b8ba2d67b7d7c3ad1df69ed00805d75026fe9eabf08d8a91e7df3bdfa0f6f5		 pdf-font-stream PDF embedded font (type1) at offset 0x1AC65B 2819 bytes
font_12_type1_off001acfa5.bin
4c00d590efa559753373eb5a6e433c0fb3d6970937909a234bda559c0e05f4fa		 pdf-font-stream PDF embedded font (type1) at offset 0x1ACFA5 2507 bytes
font_13_type1_off001ad7d8.bin
fa1282ac2a94564638d3155937f6a8a72bc8f26f2d33e5124495e88b6d8768be		 pdf-font-stream PDF embedded font (type1) at offset 0x1AD7D8 2593 bytes
font_14_sfnt_off001ae3e5.bin
d3707a31092b707f37a5d6bbdfd3c53c304bf0648ed4980c53f3b29e88694deb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AE3E5 997400 bytes
font_15_sfnt_off0022085a.bin
aed37c073d8d876cee0f9b1f2a5f2ac30b9a906d384eef37631b6dd0e970630f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22085A 107116 bytes
font_16_sfnt_off0022baf0.bin
0cec0743b111f6058f2c580d3ca735f6332642ac2d86d29e06982c9cc2581b22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22BAF0 130504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.