Malicious PDF — malware analysis report

Static analysis result for SHA-256 965a2499624c592d…

MALICIOUS

PDF

6.91 MB First seen: 2024-12-08
MD5: 761fd8272eddc7c275c27d8d0d036188 SHA-1: a270b9f06f3753e3c0c9d9cea00dc5ba7542864d SHA-256: 965a2499624c592d9f238906f321e4dfbf165b58ee6bd7f14a41a8ff20920f40
172 Risk Score

Malware Insights

MITRE ATT&CK
T1539 Steal User Data T1056.002 GUI Input Capture

The PDF file exhibits multiple high-severity heuristics indicating malicious intent. Specifically, it triggers alerts for a fake CAPTCHA, an MFA lure, and a critical lure for recovery secrets. These lures are designed to trick users into divulging sensitive information, such as credentials or private keys, which is a common tactic for credential harvesting and financial fraud.

Machine Learning

  • Nyx PDF Classifier clean score 0.0416

Heuristics 7

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oreilly.com
    • http://oreilly.com/catalog/errata.csp?isbn=9781492037514
    • http://bit.ly/practical-cloud-security
    • http://www.oreilly.com
    • http://facebook.com/oreilly
    • http://twitter.com/oreillymedia
    • http://www.youtube.com/oreillymedia
    • http://www.ibm.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.iec.ch

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off00183662.bin
d140a01c805bd86be1918a31f17f846898691bf6054802b6127cfc0240dce0a3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x183662 1511 bytes
stream_012_off00183f3d.bin
81bce0b839453add1cce8bf62c7d1bfacc966efe1127aad2696e8d787602d538		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x183F3D 5035 bytes
stream_127_off001b06f2.bin
dde60b7f8e4c3fad5f46c1e8c64f5f3259b6d73e43fa69d906949291c8867345		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B06F2 7550 bytes
objstm_1583_00.bin
894bc6761d2616c9d99465041001e1fb7c8df7eefd7c93d2bd9ca196731baffd		 pdf-objstm-decoded PDF /ObjStm 1583 0 obj (inflated) 15245 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
objstm_1584_00.bin
a7db013a5589fbba6700c9adc16dba2cc1c34b2ad076565a18b692409b0b1af7		 pdf-objstm-decoded PDF /ObjStm 1584 0 obj (inflated) 13725 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
objstm_1585_00.bin
7de60e6fe8cc302e19a3022fc3f00dbf6565c4f02f520c65be11d00b9faca1c4		 pdf-objstm-decoded PDF /ObjStm 1585 0 obj (inflated) 7691 bytes
objstm_1586_00.bin
424f98542dd5a471d0d0e4eb4ac3a11634476c5d8f63e03852da7998fc470963		 pdf-objstm-decoded PDF /ObjStm 1586 0 obj (inflated) 13028 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
icc_00_off00424e12.icc
4855b8fabb96bdc6495d45d089bb8c8efb1ae18389e0dc9e75a5f701a9c0b662		 pdf-icc-profile PDF ICC profile at offset 0x424E12 557168 bytes
icc_01_off0066ea35.icc
3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301		 pdf-icc-profile PDF ICC profile at offset 0x66EA35 3144 bytes
font_00_cff_off00001619.bin
13eef5db03b12be0d5871caf79af936872c9f603b6bcfa9f31d3fddfaa008ba2		 pdf-font-stream PDF embedded font (cff) at offset 0x1619 8210 bytes
font_01_cff_off00182eb1.bin
85328faf065d392b67f5a783fe95536bde9b1a8b38dcbf054462487bdbf7abd8		 pdf-font-stream PDF embedded font (cff) at offset 0x182EB1 1978 bytes
font_03_cff_off00183bf5.bin
7110c8d76c6cc322603f2ac53dcf2b3206a57639e77565d571b0cddd8f60597d		 pdf-font-stream PDF embedded font (cff) at offset 0x183BF5 811 bytes
font_04_cff_off001853f8.bin
937783e48a589fb77121464393a21ad9b539c8b8b9255f94ac0c30fa2a7ce9fc		 pdf-font-stream PDF embedded font (cff) at offset 0x1853F8 193128 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
font_05_cff_off001b48f8.bin
29fe7a6bf39d6b859298ff31f255e4808c97dd9bc0037c8c95388ec100dfa4f2		 pdf-font-stream PDF embedded font (cff) at offset 0x1B48F8 83604 bytes
font_06_cff_off001c3c01.bin
10901fc70ef9eedd09a7c7f4ba361b2d80b749f60cd817dfa931a6ef3008b781		 pdf-font-stream PDF embedded font (cff) at offset 0x1C3C01 80297 bytes
font_07_cff_off00405f59.bin
3c192bf3b680dfb1a05b681fb430492c0ba86219b2d769676727acb41e79b407		 pdf-font-stream PDF embedded font (cff) at offset 0x405F59 161144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_08_cff_off00622c21.bin
6126180eb1bfe08b11f66956f20bfd7b3ff0ebe5616877b731282f70e060cb2f		 pdf-font-stream PDF embedded font (cff) at offset 0x622C21 63981 bytes
font_09_cff_off0062da7d.bin
5a0aa410312f0ed567f4a7f1455cadfcaddf93b187426b04e5804ed4ff85fa11		 pdf-font-stream PDF embedded font (cff) at offset 0x62DA7D 146060 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
font_10_cff_off0064979c.bin
22a5d0c4879eeff4bdd5f78415e2a52cd64c379a8a39711df62106e7b562b0a4		 pdf-font-stream PDF embedded font (cff) at offset 0x64979C 192734 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.50, consistent with packed or encrypted content.
font_11_cff_off00670e31.bin
f52725423462ecafe59c801c44a581ab33b9c606ba7eb9d21453d4b5eaf6ba56		 pdf-font-stream PDF embedded font (cff) at offset 0x670E31 62885 bytes
font_12_cff_off006b2592.bin
40ea9bd015254416e38a29668d8acd05e1f059c7850eb85aa3c06d27117d2353		 pdf-font-stream PDF embedded font (cff) at offset 0x6B2592 78131 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.