Malicious PDF — malware analysis report

Static analysis result for SHA-256 95de4ff5d36d184b…

MALICIOUS

PDF

36.4 KB Created: 2007-10-17 15:55:35 -07:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))
MD5: 61d4a22d0995e5ffac62bc713d028392 SHA-1: 4ba58aea2be84ff3fcb023fd06cbf3315a85c798 SHA-256: 95de4ff5d36d184b02c0691163b8fbea254210e918ca275adb16c1ad9a0248e1
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file exhibits multiple heuristic firings related to embedded JavaScript and embedded file payloads. The presence of several large JavaScript streams suggests an attempt to execute malicious code. The primary intent appears to be downloading and executing a second-stage payload, as indicated by the embedded script content. Due to the obfuscation and the nature of the embedded scripts, the exact payload and delivery mechanism are not fully discernible, leading to a moderate confidence score.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x637E 85 bytes
embedded_file_obj0016.bin
edfcc2df45ea942d3a7d5735e3b0c50156009c13b42ae49ccc4fc25949bc0afa		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x7460 103 bytes
javascript_obj0087_000.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 pdf-javascript-stream PDF /JS object 87 at offset 0xA03 1604 bytes
javascript_obj0088_001.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 88 at offset 0xBEB 902 bytes
javascript_obj0089_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 89 at offset 0xD55 2798 bytes
stream_011_off0000641d.js
3688b2da099753e47d6507fba45f8c48923008b6f289c962ff9f23ec28d83250		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x641D 3099 bytes
stream_012_off00006874.bin
cb800402ae015a094d44ed1f3a99882c4f638662944d5f5c41498e336407a79d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6874 3421 bytes
stream_013_off00006c2f.bin
f963102064bf900d57980c3d8b038784ae562f0d3c7c9f64f95b59735168b99d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6C2F 365 bytes
stream_014_off00006d22.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D22 2423 bytes
icc_00_off00003706.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3706 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.