Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d5135cfe504e944…

MALICIOUS

PDF

1.34 MB Created: 2004-05-24 23:32:06 UTC Authoring application: Acrobat Web Capture 6.0
MD5: 7e6e718d8fadf0b12375563eff8215ee SHA-1: 070c6fa921ac1a592dd524412bd74e730d815e81 SHA-256: 9d5135cfe504e9441f3c481b4eb8934ccc4824ad2cf8082cc69377e40fe689b1
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and triggers a critical XFA heap spray heuristic, indicating exploit code. The presence of a password-protected archive lure suggests a multi-stage attack where the PDF's primary purpose is to trick the user into opening a subsequent malicious archive. The embedded URL http://www.multimania.com/clad2/2020hac.htm is likely related to the payload delivery.

Heuristics 7

  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • ClamAV: Win.Trojan.FormatC-95 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.FormatC-95
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://web.cip.com/br/nobo
    • http://www.cultdeadcow.com/)Tj
    • http://www.hackers.com
    • http://www.xxxxxx.com/stats
    • http://www.xxxx.com/stats/ac\
    • http://www.baguette.com/stats
    • http://www.ThePentagon.com/frog_s_print\
    • http://www.messagezone.com/message.asp?)Tj
    • http://altern.org/hackers/)Tj
    • http://www.hacker.com
    • http://www.hacker.com/images
    • http://www.scoregames.com/Images/)Tj
    • http://altern.org/hackers
    • http://www.scoregames.com/Images/)/S/URI
    • http://www.jacksgame.com
    • http://www.scssi.gouv.fr/)/S/URI
    • http://www.africaonline.co.zw/)/S/URI
    • http://www.cybergate.co.zw/)/S/URI
    • http://www.global.co.za/)/S/URI
    • http://www.new.co.za/)/S/URI
    • http://www.oh.us/)/S/URI
    • http://www.k12.us/)/S/URI
    • http://www.ondemand.co.uk/)/S/URI
    • http://www.golden.com.tw/)/S/URI
    • http://is.net.tw/)/S/URI
    • http://web.turnet.net.tr/~mesut/ayarlar.html)/S/URI
    • http://www.varnamo.se/)/S/URI
    • http://www.qatar.net.qa/)/S/URI
    • http://www.infonet.com.py/)/S/URI
    • http://www.teleweb.pt/)/S/URI
    • http://www.isec.pt/)/S/URI
    • http://www.info.com.ph/)/S/URI
    • http://www.emc.com.ph/)/S/URI
    • http://www.aclin.org/)/S/URI
    • http://www.londonderry.org/)/S/URI
    • http://www.tebenet.nl/)/S/URI
    • http://www.nhtv.nl/)/S/URI
    • http://www.deltacom.net/)/S/URI
    • http://www.taegu.ac.kr/)/S/URI
    • http://www.kyunghee.ac.kr/)/S/URI
    • http://www.fukuoka.jp/)/S/URI
    • http://www.kobe-kosen.ac.jp/)/S/URI
    • http://www.lcnet.it/)/S/URI
    • http://www.to.it/)/S/URI
    • http://www.tpu.fi/)/S/URI
    • http://purduenc.edu/)/S/URI
    • http://www.ludexpress.com/)/S/URI
    • http://www.mcmail.com/)/S/URI
    • http://www.compunet.net.co/)/S/URI
    • http://www.clasalle.qc.ca/)/S/URI
    +75 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000977c.bin
105466b4164dd3b1ce9733f8284e543f051cf9d4f3d768950a125d79f4c41cec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x977C 47061 bytes
embedded_pdf_script_0001cdd5.bin
2e7a6500dc897e382fbf0e246375904fb6f7c5295d20d224ee98da4874f10940		 pdf-embedded-script PDF raw stream script payload at offset 0x1CDD5 5537 bytes
icc_00_off0014960a.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x14960A 3144 bytes
font_00_sfnt_off0014c6fc.bin
1d2118a13f422712a50f675ab22d343bdfcabdcb31140b4dde699f44515bd286		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C6FC 17780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.