Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bf9677524b519fc…

MALICIOUS

PDF

244.1 KB Created: 2011-04-25 22:48:14 +08:00
MD5: 6fdc8f02e7f649a6c0d2a72e421a5bf9 SHA-1: 2653ab12688f5bdf9667dfd6cf98698633cdb66c SHA-256: 9bf9677524b519fc1dbc5455f78afce3dfecc1477f52874f3a6272e6eae7bb4b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF exhibits multiple indicators of malicious intent, including embedded files, JavaScript, and rich media, suggesting an attempt to exploit vulnerabilities or trick the user. The 'PDF_IMAGE_LURE' heuristic indicates a phishing-like presentation, likely hiding a malicious action trigger. The presence of 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' with a high child score further confirms suspicious embedded content. While no specific malicious URLs were extracted, the overall structure points to a multi-stage attack leveraging embedded objects.

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 244 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2bbe69c5e9b01e09ead01d39980623115955d79663f86ee38c3e26d62468aede		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x380F 163 bytes
embedded_file_obj0002.bin
2db2fcfa6c7f0b58af35cd0b7a546eab3e22594fa9e6a322d8448248c1371742		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x38FF 1683 bytes
embedded_file_obj0003.bin
6824595d40fe37ff3a17665623abb424df29f2bf3924106e83b1192a2fc6fa0d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3C21 784 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3E15 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x3EE6 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4260 200 bytes
embedded_file_obj0007.bin
41b90835819d2fc9adfbed1f624b97daf557be436627d29ad24fdfcbedc74198		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4353 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x452B 56 bytes
stream_002_off000003d6.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D6 1363 bytes
stream_003_off000005b3.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B3 902 bytes
objstm_0041_00.bin
cc0d110077f81314ac59a491675430d25faa86bdc2526ed35971cf361ac83464		 pdf-objstm-decoded PDF /ObjStm 41 0 obj (inflated) 1575 bytes
polyglot_child_pdf_off0000c71d.pdf
7da986cd53d51d8592119f8c3f240da15b0ad1fdf94ef4d70c941382b28ef11a		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC71D 198940 bytes
polyglot_child_pdf_off0003b84c.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3B84C 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.