Malicious PDF — malware analysis report

Static analysis result for SHA-256 91fac57c03ffb92e…

MALICIOUS

PDF

107.3 KB Created: 2018-06-12 09:41:10 -04:00
MD5: d0a5a7533301a0644c58844f73e3861a SHA-1: 60d993a2026a9a6381a7716dabb206837438a059 SHA-256: 91fac57c03ffb92e98a0bd598011e616617a958ba00dbbab78bd07076ca6f441
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document automatically executes JavaScript upon opening, which displays a fake Adobe Acrobat updater prompt. This script also attempts to submit form data to a remote URL, likely to download a second-stage payload. The embedded JavaScript and the fake update lure strongly indicate a malicious intent to trick the user into executing further malicious code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9477

Heuristics 8

  • PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORM
    PDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
  • PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LURE
    PDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://addto.password.land/XV205cGFGcGhNMlZyTW10WmJEWnFiV1JOVkZCdGFqSjZiM0pvWkhWcGJucDJaelpMTlM4eU0wRldRV0ZNVVVWQloyaEZTVGRIVVdJelpISmxlSFZTZDBwblVHRmhNRVpxTW5Gb1NHTTVkallyYWxjelJrYzBWbWd2ZG05bmJtWnNlVXBaVFV0bFFYTktjRFE5TFMxQk5FbEJaSEJZVkVWcGJHUjNPV1puUzFsSGRWWjNQVDA9LS00ZDYyNzI5MzExMTM4YmM0MjE0OTQzMzM2MWUwODdkOTVmNzBjMTFh?cid=914458421#FDF
    • https://addto.password.land/XTm5nNVlrUmFjbFJTY2s5eWJuUkxlRlIwUkU5c01tWldWVWhyYVVrNE9HdHpRV0ZXTTIxd1ZIRm5lRkpGWlZkcFJtY3dTVU14VkhndllYRkZXRTV1TVhSVFZFbDVaRklyVGxOamQyUnJXa2hwVGtaT2JXUkNjRGgyTlZOMldYUnFTbkY1VENzM1ZYYzVOVXBSTDNWd1YzQlFZMUpLWlhGU1VHMXZaRzlyVVN0aVdqbFpWbGs1UVVKNWVqaEJlVFZtYjNCR09XYzBjR0p0ZDFCU1ExUkxWVlpXTDAweU9YZENXVFJGUFMwdGRWUkpRV0pzTmxoaE5IRXlUbWROYWxsTWRuQk5aejA5LS1kNmUyNGZlMTAxYzYyNDRjYThkMjhmNGRkNzEwZTk2ODFlNTYwYWMw?cid=914458421
    • https://addto.password.land/XUm0wMGVGaHlaRTVsU2tOV1dqZFdSRlZhVEdKTGFFbHRWV1UxZVhOWlpFSnBhV1pJWVc1SlIzQk1WbkpSY0djclFWaENNRVZqVjJKSU5tcFVRVmxCZFhOR1JXUmlZblZMYUdKbFIxVTBUMlUzYzJOU2QwZFlhbEJzYTJFMmNDOXJlREJ1VFhrNFpUSlRPWHBNTDNCb1JFOU1RelJEYlM5SWJ6VldRMHhpZVVodlEzb3lkak5sVUZaR2JFdGtNbXBXVTJ3eWMzcENVMkpCV2xCWE1IZFRSREJwYUdwWmVXVkNlbm80UFMwdEwxbG1iamxvT1dWeVJuaDJZVU5rVVdoc1FrcG1RVDA5LS1hMzczZTg5YThiMjIxNzAwOTAxMWZjZTk2NzEzYjJiYTMzNDlmZGEz?cid=914458421
    • https://addto.password.land/XTUN0TGN5dFJNMEZqY0N0RlQzVTJWbVpKVTNCWlNYVldiV056VEUxQ016ZFJZMjlTT1hVMVRXMWxWM0pOTnpocVVVa3ljVTVrV1ROUGRrMHJkVEppZHpaMVRHMXpkWEpwSzBob0wyVlNkWFkxYkZwcVJqWldNMHhpV0hSeE4yczBWWGRoVml0T01VSXJUVVZ3VVZOeFVsTkZhMnhMVmxwSGNVdzJVR1J0VTNabGNqVTJlakJWYjJaWGNXVmhaRFZHVkdKVUszWlJaa2hGT1RGbmIycDNhVVYyTkZWR2RrSXpXbGRuUFMwdFkxbE9ZVWxpUm14M1dpdG5aMUZVWmtkbk1ETlZkejA5LS0zOWFjMDFmODQzZTFlNTA4MzQyYjkyOTEyZTgwZGRkMDdjMmIxYmVh?cid=914458421
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
8a5c4c69cc958d91c9ec4a274828f09b2c12978ad702ba3390867b03c9152bb9		 pdf-javascript-stream PDF /JS object 12 at offset 0x180A 597 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0012_001.js
a91b4407efd2b5927406d08740e884c99b0d05d4545cd169af4e0157268f30e5		 pdf-javascript-stream PDF /JS object 12 at offset 0x1831 103710 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
font_00_cff_off00019643.bin
9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0		 pdf-font-stream PDF embedded font (cff) at offset 0x19643 4575 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.