Malicious PDF — malware analysis report

Static analysis result for SHA-256 996d2aa98d355c08…

MALICIOUS

PDF

4.59 MB Created: 2003-10-22 15:00:00 UTC Authoring application: TeX (via pdfTeX-0.13d)
MD5: 65ced6f9120046762978a876cac2cd4e SHA-1: 64dbbc6fa367be8b27ad43200912581e2771c240 SHA-256: 996d2aa98d355c08d770863f99ee8641d2e8c6785bac94b621f7ae921241c2c7
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a hidden external HTML iframe, indicating an attempt to load content from a remote source. The presence of multiple streams and embedded font files suggests obfuscation techniques commonly used to hide malicious code or exploits. The unknown reputation URLs are prioritized as potential indicators of compromise.

Heuristics 5

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://down.cenet.org.cn/upfile/28/2004112\
    • http://down.cenet.org.cn/upfile/28/2004112723216127.pdf)/Type/Annot/Subj(Note)/Rect[282.001068
    • http://www.hao123hao123.cn/ok/index.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0009eb51.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x9EB51 3144 bytes
font_00_type1_off003f3520.bin
cf83080bae32082913d60fee218a952e471ddad721d86bab97dd00ad27319f2d		 pdf-font-stream PDF embedded font (type1) at offset 0x3F3520 15591 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_01_type1_off003f76f3.bin
0c95882af8f4bdadfca6bce00a76d5f11915e81c76d52eadcbf2865f0a50adac		 pdf-font-stream PDF embedded font (type1) at offset 0x3F76F3 21026 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
font_02_type1_off003fc7d8.bin
b396b43a867035dc8e5453ff10726985dfb5f7592fccba81fa6a5584a76ffeeb		 pdf-font-stream PDF embedded font (type1) at offset 0x3FC7D8 16388 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_03_type1_off0040532a.bin
2f6ee44ea61848a19e44c2c1e8e72efcd328535e740840be9a9a5b4f9f000491		 pdf-font-stream PDF embedded font (type1) at offset 0x40532A 21410 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_04_type1_off0040dd99.bin
4c3b5d62d348dbd402817ab961a2ec8dc845689bbff7484924bde2004d1f5c82		 pdf-font-stream PDF embedded font (type1) at offset 0x40DD99 4432 bytes
font_05_type1_off0040f68b.bin
6544436ba9573d55b102da0613954a829e394bb919af56984e158c0b7d139fba		 pdf-font-stream PDF embedded font (type1) at offset 0x40F68B 12124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.
font_06_type1_off00418623.bin
f96f73ca2919583114282d283fecec4358b490894e37f292b10747d7db5d0a61		 pdf-font-stream PDF embedded font (type1) at offset 0x418623 2480 bytes
font_07_type1_off0041914f.bin
16cae29589f8ae500ee8d8c4ee65a56f47fb5a17c7bd17bafe1d69e87aea8ffe		 pdf-font-stream PDF embedded font (type1) at offset 0x41914F 5100 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_08_type1_off0041a86b.bin
5594956b78773681e5b1154bd96db39d43c33748746b213282d675b6bc030571		 pdf-font-stream PDF embedded font (type1) at offset 0x41A86B 2307 bytes
font_09_type1_off0041b358.bin
8222954aee8469ab287a8263cb796ec9412e2275e8cee932ceea4141e44ee151		 pdf-font-stream PDF embedded font (type1) at offset 0x41B358 2704 bytes
font_10_type1_off0041e938.bin
5cf88826f38e9b80c28aa25ee6e832cd15ebf81832354158fa0d368bbd95beab		 pdf-font-stream PDF embedded font (type1) at offset 0x41E938 3717 bytes
font_11_type1_off0041f9ff.bin
b706ad2882e3d3b94511da9b1f8a7a1a9e845aa64ad87a87a137c461b473ea80		 pdf-font-stream PDF embedded font (type1) at offset 0x41F9FF 7658 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.65, consistent with packed or encrypted content.
font_12_type1_off00421845.bin
c565ea015719356ae6a9072437a3a7da14dfad19bdc7f6701f7ff9652fa1a4cc		 pdf-font-stream PDF embedded font (type1) at offset 0x421845 9930 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.
font_13_type1_off004242ee.bin
94ca61c8e560ac33bc1e78339c029784368d2fb08d840e73293a16ccecf9a60d		 pdf-font-stream PDF embedded font (type1) at offset 0x4242EE 2428 bytes
font_14_type1_off0045ac7d.bin
08414dd0d5ba827bffe1e2a88f29af6f99a14565ed83b95d8ba7e49aa44251e7		 pdf-font-stream PDF embedded font (type1) at offset 0x45AC7D 6657 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
font_15_type1_off0045c404.bin
cf7d9c370b2a806606ffbb889b9b67c3dc284532eb5e9c1e27c5aadbb082395a		 pdf-font-stream PDF embedded font (type1) at offset 0x45C404 14172 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.78, consistent with packed or encrypted content.
font_16_type1_off0045ff53.bin
13e9e7c5605b9506f5ffa0f94567c348e4ae019168aa8595afe19a116ee318a7		 pdf-font-stream PDF embedded font (type1) at offset 0x45FF53 15783 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.