Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c1d787b5ca25167…

MALICIOUS

PDF

525.5 KB Created: 2008-10-01 12:14:37 UTC Authoring application: Toolkit http://www.activepdf.com
MD5: 18183ceed0dfe8672f56df474ec95260 SHA-1: 51b7e39fffadf1e3b88a8f30a90dc34b30a54849 SHA-256: 9c1d787b5ca25167fefed00444bd7b57ce55e62f3aa9c8504b63dbcd94fea8e4
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1566.001 Spearphishing Attachment

The PDF document exhibits multiple lures indicative of a business email compromise, specifically a 'Payment redirection / bank-detail change lure' and an 'Advance-fee scam lure'. The presence of embedded JavaScript, triggered by document actions and form buttons, suggests an attempt to execute malicious code. While the JavaScript itself is not directly analyzed here, its presence in conjunction with the strong lures points to an intent to facilitate the scam, likely by redirecting the user to a malicious site or initiating a download. The document's creation by 'Toolkit http://www.activepdf.com' is noted.

Heuristics 10

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.activepdf.com
    • http://www.activepdf.com)/Producer(Toolkit
    • http://www.activepdf.com)/ModDate(D:20090706141720-07
    • http://www.activepdf.com)/ModDate(D:20090706150155-07
    • http://www.activepdf.com)/ModDate(D:20090706150355-07
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0637_000.js
25933f107347efa618061d7f18915620201c8ffc96e99f1d2b8f8061c3837a7f		 pdf-javascript-stream PDF /JS object 637 at offset 0x71307 896 bytes
font_00_cff_off0000f743.bin
4b1ab039c82e518d14bce56b6d8aab303f15f6ba83059c6f2dab93d20c2c0da7		 pdf-font-stream PDF embedded font (cff) at offset 0xF743 6189 bytes
font_01_cff_off00010d68.bin
a97a345e0b8c7bd824d5f4be9ecf568915ef3351adf251f463a707cd59262836		 pdf-font-stream PDF embedded font (cff) at offset 0x10D68 6192 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_02_cff_off00012440.bin
cc1d6f50f144b18a9ae1587c38b664ece678c301f1816ece6db373fba163dd3f		 pdf-font-stream PDF embedded font (cff) at offset 0x12440 4131 bytes
font_03_cff_off00014603.bin
f18e5c9c7628efd8ee1f32bbcc179cd3243e9fbbb75c76ca4a922919e2d85c6e		 pdf-font-stream PDF embedded font (cff) at offset 0x14603 5256 bytes
font_04_cff_off000158f0.bin
5dfa10f291d359ecc1b99c9b7abf5357cd05b3bc19247fa0fe1bd6732e55b001		 pdf-font-stream PDF embedded font (cff) at offset 0x158F0 7608 bytes
font_05_cff_off000172f2.bin
858fe3b9a47f2d3ee1d1aec8b6bed2abf969dfa4929a4858f59d272eda2cf832		 pdf-font-stream PDF embedded font (cff) at offset 0x172F2 9213 bytes
font_06_cff_off000190f3.bin
b8280775842239c2b62e72bb736cf43c71d171b169e68861cf96f9055a7c59cc		 pdf-font-stream PDF embedded font (cff) at offset 0x190F3 7834 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_07_cff_off000290af.bin
244a0e05e9287a135b91e674eac2f741343e22d87b47a427969cab38b2c0a0a8		 pdf-font-stream PDF embedded font (cff) at offset 0x290AF 309 bytes
font_08_cff_off0002d01f.bin
4b90b653cf0ae38fd4419603ad7b44fa99094de00cc30f2e0e1847b2e03aebfb		 pdf-font-stream PDF embedded font (cff) at offset 0x2D01F 2726 bytes
font_09_cff_off0003f9a4.bin
0e9a3430f69ca1218387bf16d5ccb693edb1df7f3a3b2f962a8e458ca2dc5c52		 pdf-font-stream PDF embedded font (cff) at offset 0x3F9A4 3127 bytes
font_10_sfnt_off00057a55.bin
bb71439891d9b52c43e64fa1bd7d9273ddfdf114adc3548cf44629cb213e54da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57A55 20447 bytes
font_11_cff_off0005c250.bin
35c68561a967a252a1e112e86696f5204804898f29824ca7279f303dd31889e6		 pdf-font-stream PDF embedded font (cff) at offset 0x5C250 4142 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.