Malicious PDF — malware analysis report

Static analysis result for SHA-256 994d98f327ced9c7…

MALICIOUS

PDF

1.24 MB Created: 2004-05-24 23:32:06 UTC Authoring application: Acrobat Web Capture 6.0
MD5: 4f6703802373bfcdb73f46d0a5266d38 SHA-1: 2880887b74dea5612e9635d3b910c20ddc14333c SHA-256: 994d98f327ced9c7276d2444695c33ad31652343759dd65dd82442798ff7ade9
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF contains embedded JavaScript and a heuristic firing for 'PDF_EMBEDDED_SCRIPT_PAYLOAD', indicating malicious scripting. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document's purpose is to trick the user into decrypting a password-protected archive, likely containing a secondary payload. The embedded URL 'http://www.multimania.com/clad2/2020hac.htm' is present, though marked as benign. The recovered JavaScript, while large, does not immediately reveal specific malicious actions beyond general stage recovery, but the overall context points to a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2586

Heuristics 7

  • ClamAV: Win.Trojan.FormatC-95 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.FormatC-95
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.messagezone.com/message.asp
    • http://www.hacker.com
    • http://www.scoregames.com/Images/
    • http://altern.org/hackers
    • http://www.jacksgame.com
    • http://www.scssi.gouv.fr/
    • http://www.africaonline.co.zw/
    • http://www.cybergate.co.zw/
    • http://www.global.co.za/
    • http://www.new.co.za/
    • http://www.oh.us/
    • http://www.k12.us/
    • http://www.ondemand.co.uk/
    • http://www.golden.com.tw/
    • http://is.net.tw/
    • http://web.turnet.net.tr/~mesut/ayarlar.html
    • http://www.varnamo.se/
    • http://www.qatar.net.qa/
    • http://www.infonet.com.py/
    • http://www.teleweb.pt/
    • http://www.isec.pt/
    • http://www.info.com.ph/
    • http://www.emc.com.ph/
    • http://www.aclin.org/
    • http://www.londonderry.org/
    • http://www.tebenet.nl/
    • http://www.nhtv.nl/
    • http://www.deltacom.net/
    • http://www.taegu.ac.kr/
    • http://www.kyunghee.ac.kr/
    • http://www.fukuoka.jp/
    • http://www.kobe-kosen.ac.jp/
    • http://www.lcnet.it/
    • http://www.to.it/
    • http://web.cip.com/br/nobo
    • http://www.cultdeadcow.com/
    • http://www.hackers.com
    • http://www.xxxxxx.com/stats
    • http://www.xxxx.com/stats/access_log
    • http://www.baguette.com/stats
    • http://www.hacker.com/images
    • http://altern.org/hackers/
    • http://www.ThePentagon.com/frog_s_print
    • http://www.networkassociates.com/
    • http://www.shomiti.com/
    • http://www.netcommcorp.com/
    • http://www.guesswork.com/
    • http://www.aggroup.com/
    • http://www.networkssolutions.com/
    • http://www.trouble.org/~zen/satan/satan.html
    +136 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000977c.bin
105466b4164dd3b1ce9733f8284e543f051cf9d4f3d768950a125d79f4c41cec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x977C 47061 bytes
embedded_pdf_script_0001cdd5.bin
2e7a6500dc897e382fbf0e246375904fb6f7c5295d20d224ee98da4874f10940		 pdf-embedded-script PDF raw stream script payload at offset 0x1CDD5 5537 bytes
generic_stage_recovery_000.js
aef78d4aa9a60e67cf1b1d4cf754d67830cc60b5f6f334370977d31f024f1b57		 deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 262144 bytes
generic_stage_recovery_001.js
1a697f995e122192fc62f6515315a6402d43c5232ce018e22e2b899653086133		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0 262144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.