Malicious PDF — malware analysis report

Static analysis result for SHA-256 943e3916aa10d484…

MALICIOUS

PDF

223.1 KB Created: 2011-04-18 15:20:20 +08:00
MD5: 12ef698540c514d863bca6521fd44c1a SHA-1: 770f6f08bfdfb5f40b7a896950be186e2df82544 SHA-256: 943e3916aa10d484b0f2dc3a8672e0168e3f4d1b31ae6cb21924f5d421521f99
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains embedded content, including a Flash object, which is a common vector for exploiting vulnerabilities. The 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' heuristic indicates a secondary embedded PDF with suspicious findings, suggesting a multi-stage attack. The presence of embedded URLs, though benign in this case, points to the document's potential to interact with external resources. The overall structure and heuristic firings strongly suggest an exploit-based attack aimed at delivering a secondary payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0182

Heuristics 5

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0026_00.bin
0841ed6ca2149b386133777ff3868f6222ba5033d6f52cd654a117610818bd40		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1084 bytes
font_00_cff_off000221cc.bin
446a03cce2f2f2761b3ea5aafc09b3422d8b14b2b0a171ccd0feaaa8db387455		 pdf-font-stream PDF embedded font (cff) at offset 0x221CC 5626 bytes
font_01_cff_off00023497.bin
000bb0c1597793a5a9600ccd1c831b574d96246ff9a808cf4f279a152a5914fe		 pdf-font-stream PDF embedded font (cff) at offset 0x23497 4825 bytes
font_02_cff_off000244c3.bin
55773802fa896f81b317ef50aaecbbc649be44beee1b1b5c6c743638b617d4e3		 pdf-font-stream PDF embedded font (cff) at offset 0x244C3 632 bytes
font_03_cff_off000247aa.bin
0f326dc60fe92898369158c3af96c0a63586f0f30a29a5f7f3e6b37bcdb6e611		 pdf-font-stream PDF embedded font (cff) at offset 0x247AA 542 bytes
font_04_cff_off00024afc.bin
fdb2111c03e63969dcd4db4056cc9efdaa6b567d7a39aba7eca4b5846bf90901		 pdf-font-stream PDF embedded font (cff) at offset 0x24AFC 2933 bytes
font_05_cff_off000255d5.bin
279e1ee4196b04770874a6e94707570d687a185ae3dbf5af7eaaf0602e713761		 pdf-font-stream PDF embedded font (cff) at offset 0x255D5 638 bytes
font_06_cff_off0002586e.bin
3614727d33832134f81a17661cca78683a6b3ff34cdbf66f4639fc4002560d6e		 pdf-font-stream PDF embedded font (cff) at offset 0x2586E 435 bytes
font_07_cff_off00025a4e.bin
ba44527c438ef6bde24a2bfd73b55efff3e1c814de9e499131d58aab0b9a35ea		 pdf-font-stream PDF embedded font (cff) at offset 0x25A4E 805 bytes
font_08_cff_off00025d95.bin
815015c9463a0ceb4f2bf4eee667883ee3ed5caaef95f25ad1c3a4a74b9d4788		 pdf-font-stream PDF embedded font (cff) at offset 0x25D95 507 bytes
font_09_cff_off00028ac3.bin
818211e76f7777a275479bfd4332b779370c973c7795c3a3c4d948d401bf01ae		 pdf-font-stream PDF embedded font (cff) at offset 0x28AC3 2986 bytes
font_10_cff_off0002959c.bin
ae929d019153c7ae36d91c47979d15bfeb8f1e0d6411d6ea371c64c6280e9bbc		 pdf-font-stream PDF embedded font (cff) at offset 0x2959C 462 bytes
polyglot_child_pdf_off0001d505.pdf
6a0dc03e89f61aa23c590a4a60c44defa32fa6d6db686763ba19b40db2c0af42		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1D505 108391 bytes
polyglot_child_pdf_off0003647f.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3647F 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.