PDF malware analysis — malicious · 91944f4f47dc5550

MALICIOUS

PDF

691.4 KB Created: 2015-03-30 10:52:42 -04:00 Authoring application: SOLIDWORKS 2015 SP3.0 (via HOOPS Publish 8.0)

MD5: adede10199442a415b1646c75575f8f2 SHA-1: a38accfa0eca34078a80ce4feb49568c108e1cd0 SHA-256: 91944f4f47dc555049bd1b582f7ca9ed11288693551a4c87cba07fbd774efad7

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript and triggers heuristics related to 3D content vulnerabilities (CVE-related). The ML classifier also flagged it as malicious. The embedded JavaScript is likely responsible for exploiting a vulnerability, potentially leading to the download and execution of a second-stage payload. The presence of 3D content and JavaScript actions points towards an exploit delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.7353

Heuristics 9

U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED

PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
PRC/3D content in PDF high CVE related PDF_PRC_3D

PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0051_001.js` `32013f733f0afb4fc6f6a02c3f58c406b2974dab9826aca9cbcb78ebb7acd05b`	pdf-javascript-stream	PDF /JS object 51 at offset 0x8D23	9111 bytes
`javascript_obj0052_002.js` `d4404ba0193e701657242fd6fa2bb1f012e83aa77d86be2cddfbe65f3c0415ee`	pdf-javascript-stream	PDF /JS object 52 at offset 0x9410	870 bytes
`javascript_obj0053_003.js` `029eb4581f40ad46b3157b7ec21b4b1081ceb3a3150eac45f34e994c72e5e81f`	pdf-javascript-stream	PDF /JS object 53 at offset 0x9587	4620 bytes
`javascript_obj0054_004.js` `6e732fd49998e3343f06980cd9e212325849fc0d35ee5bcd88f82b7b0f3fcced`	pdf-javascript-stream	PDF /JS object 54 at offset 0x9AB6	892 bytes
`javascript_obj0055_005.js` `2b1de811b846be63f64231731e905987580645f107da28c2c67e52bbf3f1b4a2`	pdf-javascript-stream	PDF /JS object 55 at offset 0x9C81	8677 bytes
`javascript_obj0056_006.js` `34aaa115363e1503f53656e642117ed316cad7d4a18caa5fd4a558ead43b1037`	pdf-javascript-stream	PDF /JS object 56 at offset 0xA585	972 bytes
`javascript_obj1620_009.js` `133d8ddc677be72fff2cd00c42e9b65ecfb4324e7cd9fa7da28f3d95e505bf21`	pdf-javascript-stream	PDF /JS object 1620 at offset 0x9105C	292 bytes
`javascript_obj1634_010.js` `fae37676ef8b0c2e28a5fd0a8f6b28fcb17bdb9cdfd4940d33eacbd23bd9e845`	pdf-javascript-stream	PDF /JS object 1634 at offset 0x919C4	63 bytes
`javascript_obj1636_011.js` `22c509ac9bec4b391ec72d28261baf1a3d6a6cb4f0389f450ac54f5b6b375c76`	pdf-javascript-stream	PDF /JS object 1636 at offset 0x91A7F	59 bytes
`javascript_obj1638_012.js` `33aeb4aac7db2e0b879a884a200fc20a8036da43eb148214632f38432bd3b657`	pdf-javascript-stream	PDF /JS object 1638 at offset 0x91B36	59 bytes
`stream_008_off0005f2a9.js` `1a22b72b072209594a5b474351d5c5b47548973ebe0136ae64bb9b7f4aacdbad`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5F2A9	14546 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`prc_00_off0002d658.bin` `d32d460f0a636ea8d3bd6b34ed8f296f9a83014eb7428df8357b44d2b9e57859`	pdf-3d-stream	PDF PRC 3D stream at offset 0x2D658	186250 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.