Malicious PDF — malware analysis report

Static analysis result for SHA-256 929c6aabff3a8010…

MALICIOUS

PDF

1.64 MB Created: 2010-04-26 21:44:48 +08:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.2.2 (Windows))
MD5: f119d0b868439bf3c8fb8062f70b891c SHA-1: d652abda6feceaaa2a83c0ee0acad1dd85fae047 SHA-256: 929c6aabff3a8010eca9a7f7c119e7b5069990ad42ae0d3c8b379ded71cc7ab7
186 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and an embedded file, both of which are flagged as suspicious. The JavaScript appears to be designed to interact with the embedded file attachments, potentially to trigger their execution or further analysis. The ML classifier also strongly indicated maliciousness. The exact payload or exploit mechanism is not fully discernible from the provided script, leading to a moderate confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8230

Heuristics 9

  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Font#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
SNEC2010_Wz_.pdf
c9a9fdcd0b8af838ed74fa0bf0e5804ce0969528bf356fcf0fca9fc566262b3e		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0xA8324 9389 bytes
UsSOMV.pdf
507cb743bef34a1121ec3a27e1687ba8a09ff37d1fd757c1db917c3c2c72be2d		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0xE93E4 98274 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
653 of 950 identifiers look randomly generated (e.g. 'zi4MaoSrNVfSAfbAr0bQ9QudQ0m1vLqzlsLmZKzW'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
NRecPR.pdf
86fd017e469b0a01075dcc932d91343dd116736d659d08e1560cb63aeaecebc4		 pdf-embedded-file PDF EmbeddedFile object 21 at offset 0x15F6D2 172085 bytes
javascript_obj1020_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 1020 at offset 0x910 1946 bytes
Preview script
First 1,000 lines of the extracted script
�� v a r   v   =   a p p . v i e w e r V e r s i o n ; 
 i f   ( v   <   7 ) 
 { 
 	 v a r   n   =   0 ; 
 	 i f   ( t h i s . d a t a O b j e c t s   ! =   n u l l ) 
 	 	 n   =   t h i s . d a t a O b j e c t s . l e n g t h ; 
 	 i f   ( v   > =   5   & &   v   <   6   & &   n   >   0   & &   ( a p p . v i e w e r V a r i a t i o n   = =   " F u l l "   | |   a p p . v i e w e r V a r i a t i o n   = =   " F i l l - I n " ) ) 
 	 { 
 	 	 i f   ( t h i s . e x t e r n a l ) 
 	 	 	 a p p . a l e r t ( "g,e�hcS T+e�N��DN�0 ��g�w �DN�� ��SUQ�  O�[X  c	��geO�[Xe�hcRog,� q6T W(   A c r o b a t  N-bS_ Rog,� ^v�	b�  e�N�   >  e�hc\^`'   >  ]LQev�epcn[��a  0  " ,   3 ,   0 ) ; 
 	 	 e l s e 
 	 	 	 a p p . a l e r t ( "g,e�hcS T+e�N��DN�0 ���	b�  e�N�   >  e�hc\^`'   >  ]LQev�epcn[��a  geg�w �DN�0  " ,   3 ,   0 ) ; 
 	 } 
 	 e l s e   i f   ( v   > =   6   & &   v   <   7 ) 
 	 { 
 	 	 i f   ( n   = =   0 ) 
 	 	 { 
 	 	 	 v a r   n p   =   t h i s . n u m P a g e s ; 
 	 	 	 s y n c A n n o t S c a n ( ) ; 
 	 	 	 f o r   ( v a r   p   =   0 ;   p   <   n p   & &   n   = =   0 ;   + + p ) 
 	 	 	 { 
 	 	 	 	 v a r   a n n o t s   =   t h i s . g e t A n n o t s ( p ) ; 
 	 	 	 	 i f   ( a n n o t s   ! =   n u l l ) 
 	 	 	 	 { 
 	 	 	 	 	 f o r   ( v a r   i   =   0 ;   i   <   a n n o t s . l e n g t h ;   + + i ) 
 	 	 	 	 	 { 
 	 	 	 	 	 	 i f   ( a n n o t s [ i ] . t y p e   = =   " F i l e A t t a c h m e n t " ) 
 	 	 	 	 	 	 { 
 	 	 	 	 	 	 	 n   =   1 ; 
 	 	 	 	 	 	 	 b r e a k ; 
 	 	 	 	 	 	 } 
 	 	 	 	 	 } 
 	 	 	 	 } 
 	 	 	 } 
 	 	 } 
 	 	 i f   ( n   >   0 ) 
 	 	 { 
 	 	 	 i f   ( t h i s . e x t e r n a l ) 
 	 	 	 	 a p p . a l e r t ( "g,e�hcS T+e�N��DN�0 ��g�w �DN�� ��SUQ�e�hcz�S�W�v�n�R�ga�v��v��тrN	��_b� q6T �	b�  e�N��DN�  0  " ,   3 ,   0 ) ; 
 	 	 	 e l s e 
 	 	 	 	 a p p . a l e r t ( "g,e�hcS T+e�N��DN�0 ���	b�  e�hc   >  e�N��DN�  ��SUgeg�w �DN�0  " ,   3 ,   0 ) ; 
 	 	 } 
 	 } 
 }
stream_007_off0000330e.bin
7ed9cb7e3ff77770c036d7df4a20b1d3b14de661cf2c159d3b330876da5daaa4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x330E 104535 bytes
stream_016_off00043af7.bin
d405b928891ba866e1525e6d18cd17ee00959a93e04d7b4e666a7e311661e65e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x43AF7 1031907 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled
Disassembly
Attempted x86 opcode disassembly
0007839E  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
0007839F  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A0  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A1  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A2  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A3  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A4  a5                movsd dword ptr es:[edi], dword ptr [esi]
000783A5  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
000783A6  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
000783A7  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
000783A8  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783A9  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783AA  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783AB  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783AC  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783AD  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783AE  a8a8              test al, 0xa8
000783B0  a8a8              test al, 0xa8
000783B2  a8a8              test al, 0xa8
000783B4  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783B5  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783B6  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
000783B7  c6c6c6            mov dh, 0xc6
000783BA  df                .byte 0xdf
000783BB  df                .byte 0xdf
000783BC  df8d8d8d9090      fisttp word ptr [ebp - 0x6f6f7273]
000783C2  90                nop
000783C3  8f                .byte 0x8f
000783C4  8f                .byte 0x8f
000783C5  8f                .byte 0x8f
000783C6  93                xchg ebx, eax
000783C7  93                xchg ebx, eax
000783C8  93                xchg ebx, eax
000783C9  91                xchg ecx, eax
000783CA  91                xchg ecx, eax
000783CB  91                xchg ecx, eax
000783CC  93                xchg ebx, eax
000783CD  93                xchg ebx, eax
000783CE  93                xchg ebx, eax
000783CF  93                xchg ebx, eax
000783D0  93                xchg ebx, eax
000783D1  93                xchg ebx, eax
000783D2  91                xchg ecx, eax
000783D3  91                xchg ecx, eax
000783D4  91                xchg ecx, eax
000783D5  91                xchg ecx, eax
000783D6  91                xchg ecx, eax
000783D7  91                xchg ecx, eax
000783D8  93                xchg ebx, eax
000783D9  93                xchg ebx, eax
000783DA  93                xchg ebx, eax
000783DB  91                xchg ecx, eax
000783DC  91                xchg ecx, eax
000783DD  91                xchg ecx, eax
000783DE  90                nop
000783DF  90                nop
000783E0  90                nop
000783E1  90                nop
000783E2  90                nop
000783E3  90                nop
000783E4  90                nop
000783E5  90                nop
000783E6  90                nop
000783E7  90                nop
stream_050_off00000910.js
5c1ab2af46eef55b0d162c3a84464633475df9b138b64aa21a36ffaffbdffa88		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x910 1336 bytes
icc_00_off000088b8.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x88B8 3144 bytes
font_00_cff_off000029cc.bin
77b2fdeb746d5d5d866e8e96fd733bbbdb8aef7c92ca66fd139dba93f596bd43		 pdf-font-stream PDF embedded font (cff) at offset 0x29CC 1491 bytes
font_01_sfnt_off0000b731.bin
6edec26895cc2313c84fb032c0cb82aa23681198f5427c0d14bf30f02cd3c1b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB731 241336 bytes
font_02_cff_off00032472.bin
febcbbd0f8d6260865e0418e0fcfde97d76e1f553dcd954aa330bccdc23db7ed		 pdf-font-stream PDF embedded font (cff) at offset 0x32472 3053 bytes
font_03_cff_off00033386.bin
7b62d1cb604e36385be20f6483e0a4d1490979f43ee4153921ca909c19219345		 pdf-font-stream PDF embedded font (cff) at offset 0x33386 417 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.