Malicious PDF — malware analysis report

Static analysis result for SHA-256 99a1e2ab172ea0ac…

MALICIOUS

PDF

167.9 KB Created: 2010-04-25 13:23:41 Authoring application: Toolkit http://www.activepdf.com
MD5: 91bc023573917c19781ae00f19940705 SHA-1: 03d8c1f932e081d762401958db9e2ba8e424b5a0 SHA-256: 99a1e2ab172ea0ac5b3174dea55c2b570853cf2f243503c7e4bb4a181e40065d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains heuristics indicating JavaScript actions and embedded JS streams, along with a fake invoice lure. The presence of ClamAV detection for 'Pdf.Exploit.Agent-24048' strongly suggests malicious intent. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, as indicated by the 'SE_INVOICE_LURE' heuristic and the general nature of PDF exploits.

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-24048 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-24048
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.activepdf.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0103_002.js
c0d3857cdf8a0f473be3e014c073528de4675323b9d3cc4fcd1d8dbd4f590189		 pdf-javascript-stream PDF /JS object 103 at offset 0x4732 65 bytes
javascript_obj0395_003.js
bf9beab1bc060369c6e2ca23200efd1118a1793945baacb2ece91665cb27ed76		 pdf-javascript-stream PDF /JS object 395 at offset 0x1DF04 35 bytes
javascript_obj0416_004.js
cd70c492072d53d9ba6131cc5d7d10dfa5d3faad2cbb519d11e67e4230d163a7		 pdf-javascript-stream PDF /JS object 416 at offset 0x27622 139 bytes
javascript_obj0422_005.js
059ba8aa623d80e5dafc1294dd422a4f59b4a7fbcbacf455bdec14838b66ebdd		 pdf-javascript-stream PDF /JS object 422 at offset 0x277F1 154 bytes
javascript_obj0423_006.js
d64f05071b7d7b00e908f61c5675cb3c25c1080e80c84e987b076daade45570e		 pdf-javascript-stream PDF /JS object 423 at offset 0x278C4 158 bytes
javascript_obj0424_007.js
5a4fca1422bae22552456cc8130f92c4b7b2193df0c7a8c93e47baee7c969e66		 pdf-javascript-stream PDF /JS object 424 at offset 0x279A1 104 bytes
javascript_obj0425_008.js
4cb87230dc3a2a16b06a80bdc18ead6a503c77d2355e15827e6f80d8b1aa48b5		 pdf-javascript-stream PDF /JS object 425 at offset 0x27A3C 97 bytes
javascript_obj0388_009.js
bbd3c61bbf828974e661eab46d09e93574a2c2ccfaa8dadb4037063022a1a2a3		 pdf-javascript-stream PDF /JS object 388 at offset 0x19369 48463 bytes
javascript_obj0389_010.js
5124ef94d6ed0e617d9ccdc63ce82ec397a406be81a9e6845be09a3d10cbfe15		 pdf-javascript-stream PDF /JS object 389 at offset 0x1CF12 429 bytes
javascript_obj0390_011.js
9d7cc54df6ffa3649b36d786e4ca6e25f33a97759e819288a082dbcb22765c77		 pdf-javascript-stream PDF /JS object 390 at offset 0x1D051 541 bytes
javascript_obj0391_012.js
286dcff91b599f7d37af8a6ddd3ca895cacbd426f043be7a9adb893e50421ae5		 pdf-javascript-stream PDF /JS object 391 at offset 0x1D1A8 6797 bytes
javascript_obj0392_013.js
f533a92c3fabd0b7026bb42a1cd793c06cac6391728cf623815591360ac90b8a		 pdf-javascript-stream PDF /JS object 392 at offset 0x1D9A0 1768 bytes
javascript_obj0393_014.js
d12236f60530456e14dc95cca3abbb964167544071ef2975ed9875ca002335f1		 pdf-javascript-stream PDF /JS object 393 at offset 0x1DC76 394 bytes
javascript_obj0394_015.js
149de44cb35177bab95249a537af0cb2c257d26132b6575db600379135e80e80		 pdf-javascript-stream PDF /JS object 394 at offset 0x1DDB9 418 bytes
stream_129_off0001efa5.bin
4ca783847c177cf8b909804d85ae12bcef60504a091e5950741cf0caa4bf85e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EFA5 11308 bytes
icc_00_off00007327.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x7327 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.