Malicious PDF — malware analysis report

Static analysis result for SHA-256 96e4e6c8cc56959d…

MALICIOUS

PDF

646.4 KB Created: 2008-06-18 20:09:38 -06:00 Authoring application: Acrobat Web Capture 8.0
MD5: 3331b238b32208a7421f80480be22cdd SHA-1: 02bb20b16d029a40e27e2850169f3d7baf2903bb SHA-256: 96e4e6c8cc56959de0296a9f7dbc41dd87f6f7404bfc13486b90494f30451318
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript that triggers a SubmitForm action to an external URL, specifically 'https://www.homedepot.ca/webapp/wcs/stores/servlet/HomeDepotEmailRegistrationAddCmd'. This suggests an attempt to phish for user credentials or to deliver a secondary payload. The presence of JavaScript actions and form submission to a remote URL are key indicators of malicious intent.

Heuristics 7

  • PDF JavaScript submits form data to external URL high PDF_JS_SUBMITFORM_URL
    PDF JavaScript calls submitForm() with an external HTTP(S) URL. This can send form/document context to a remote endpoint or route the user into a credential-phishing flow. It is a behavioral indicator, not a parser exploit signal.
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://homedepot.flyerservices.com/noncached_admin/landing.asp
    • https://www.scanalert.com/RatingVerify?ref=www.homedepot.ca)/S/URI
    • http://www.homedepotopinion.com/)/S/URI
    • http://images.scanalert.com/meter/survey/www.homedepot.ca/32.gif)(http://www.homedepot.ca/wcsstore/HomeDepotCanada/images/HDPIPPage/en_CA/btn_close.gif)]/Names[149
    • http://images.scanalert.com/meter/survey/www.homedepot.ca/32.gif
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947432&Ntt=947432&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113014&N=0&Ntk=P_PartNumber#)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm?langId=-15&storeId=10051&catalogId=&new=Y)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947432&recN=113014&Ntt=947432&langId=-16&Ntk=P_PartNumber&Dx=mode+matchallpartial&storeId=10051&Ntx=mode+matchall&N=0)/S/URI
    • http://diy.homedepot.ca/diy/landing.jsp?N=0&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=current_promotions)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&valueNav=1&N=1000004)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?storeId=10051&catalogId=&langId=-15&Nty=1&Ntx=mode+matchall&Ntk=level1&D=1&Dx=mode+matchall&giftNav=1&N=1000000)/S/URI
    • http://www.homedepot.ca/webapp/hdis/IS_index.jsp?langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=store_locator)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/OrderCalculate?URL=OrderItemDisplay?orderId=.&storeId=10051&catalogId=)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/HammerDropView?storeId=10051&catalogId=10051&langId=-15&eid=homepage_A1&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=freeshipping&eid=homepage_A2&utm_source=homepage)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112001)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112212)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=112873)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&storeId=10051&langId=-15&Nty=1&Ntx=mode%2Bmatchall&Ntk=level1&D=1&Dx=mode%2Bmatchall&catNav=1&N=113113)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/TopCategoriesDisplay?catalogId=&storeId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=4&storeId=10051&Ntx=mode%2Bmatchallpartial&N=113007&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?catalogId=&langId=-15&storeId=10051&N=0&Ntk=level1&Ntt=Weber&Nty=1&D=Weber&Ntx=mode+matchallpartial&Dx=mode+matchallpartial&srchFor=Brand)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=3&storeId=10051&Ntx=mode%2Bmatchallpartial&N=113004&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947416&Ntt=947416&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113014&N=0&Ntk=P_PartNumber)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=947497&Ntt=947497&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113014&N=0&Ntk=P_PartNumber)/S/URI
    • http://reviews.homedepot.ca/1998/947432/submission.htm?bvpage=action.htm&action=AddReview&format=embedded&user=__USERID__&return=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947432%26recN%3D113014%26Ntt%3\
    • http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947432%26Ntt%3D947432%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%3Dmode%2Bma\
    • http://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947432%26Ntt%3D947432%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%3Dmode%2Bmatc\
    • http://del.icio.us/post?v=4&noui&jump=close&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FCatalogSearchResultView%3FD%3D947432%26Ntt%3D947432%26catalogId%3D10051%26langId%3D-15%26storeId%3D10051%26Dx%3Dmode%2Bmatchallpartial%26Ntx%\
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/SendToAFriendDisplay?recN=113014&langId=-15&storeId=10051&catEntryId=119983&catEntryIdName=Stainless+Steel+Burner+Tube+set)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?catalogId=&storeId=10051&langId=-15)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=1&storeId=10051&Ntx=mode%2Bmatchallpartial&N=112873&Nty=1)/S/URI
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=1&Ntk=level1&Dx=mode%2Bmatchallpartial&langId=-15&catNav=2&storeId=10051&Ntx=mode%2Bmatchallpartial&N=112996&Nty=1)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/TopCategoriesDisplay?catalogId=&storeId=10051&langId=-15)/FT/Tx/Type/Annot/MK
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/HomeDepotEmailRegistrationAddCmd
    • http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?D=974534&Ntt=974534&catalogId=&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&recN=113014&N=0&Ntk=P_PartNumber)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=freeshipping&eid=homepage_Footer1&utm_source=homepage)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?display=design-centre&langId=-15&storeId=10051&catalogId=10051&eid=homepage_Footer2&utm_source=homepage)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=10051&langId=-15&display=gc_landing&eid=homepage_Footer3&utm_source=homepage)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=affiliate)/S/URI
    • https://www.homedepot.ca/webapp/wcs/stores/servlet/DisplayTemplate?storeId=10051&catalogId=&langId=-15&display=careers)/S/URI
    • http://www.homedepot.ca/communityaffairs/content/en_CA/CAHomepage.html)/S/URI
    +99 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0723_000.js
014985a8dcdf0f8b541ea57bd391e43c8509e250474586fb1427cb8d6ee6a688		 pdf-javascript-stream PDF /JS object 723 at offset 0x7D17C 193 bytes
javascript_obj0554_001.js
4af7bdbf6ac10c1ba9de62d8304970f25e5073673325c152467d4be7e9dea07c		 pdf-javascript-stream PDF /JS object 554 at offset 0x8E0B7 128 bytes
javascript_obj0628_002.js
b1cab93dda648b867788c2bd1d3556c94412662225ef55a203e5c05761ac2364		 pdf-javascript-stream PDF /JS object 628 at offset 0x7C2D8 314 bytes
stream_060_off0001c5ae.bin
963a60cd7d15593b98893002079a9ae9b7e96dbcc9dd6274d30c9f81995f4e2d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C5AE 675843 bytes
font_00_sfnt_off00007d49.bin
123e20c3294c556b1fca0ef1c1690d9d345df1cc9c5b203c6d96c59ff799291b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D49 21803 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.