Malicious PDF — malware analysis report

Static analysis result for SHA-256 9da68c2e5f4dc86f…

MALICIOUS

PDF

2.70 MB Created: 2007-05-30 13:36:49 -04:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.0)
MD5: 5296547916a7f72bbcaec57b49d3712c SHA-1: 0ef4d3e41658e620354871c0d908f968e290f3cb SHA-256: 9da68c2e5f4dc86f838ff625a0c4c191f7c34ac77d2791b26f84d2374f3e5e4f
206 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF document contains JavaScript that attempts to exploit vulnerabilities in Adobe Reader or Acrobat, particularly related to XFA forms. The script is designed to prompt the user with alerts and potentially download and execute a second-stage payload from a URL. The ML classifier also flagged this PDF as malicious. The primary attack vector appears to be leveraging embedded JavaScript to trigger an exploit, leading to the download of further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8277

Heuristics 13

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.appliedsec.com/files/The_Evolving_Art_of_Fuzzing.pdf
    • http://www.appliedsec.com/resources.html
    • http://www.vdalabs.com/home
    • http://www.vdalabs.com/services
    • http://www.vdalabs.com/about_us
    • http://www.vdalabs.com/contact_us
    • http://www.vdalabs.com/
    • http://www.vdalabs.com
    • http://www.appliedsec.com/files/The_Evolving_Art_of_Fuzzing.pdf)/S/URI
    • http://www.appliedsec.com/resources.html)/S/URI
    • http://www.vdalabs.com/home)/S/URI
    • http://www.vdalabs.com/services)/S/URI
    • http://www.vdalabs.com/about_us)/S/URI
    • http://www.vdalabs.com/contact_us)/S/URI
    • http://www.vdalabs.com)/S
    • http://www.monotype.comMonotype
    • http://media.defcon.org/dc-14/video/Defcon14-V42-Jared_DeMott-Evolving_art_of_Fuzzing.mp4
    • http://us.i1.yimg.com/us.yimg.com/lib/smb/assets/hosting/yss/themes/tangiers/v_1_24/images/bg_loop.gif
    • http://us.i1.yimg.com/us.yimg.com/lib/smb/assets/hosting/yss/themes/tangiers/v_1_24/images/hd_bg1.jpg
    • http://us.i1.yimg.com/us.yimg.com/lib/smb/assets/hosting/yss/themes/tangiers/v_1_24/images/nav_bg.gif
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://media.defcon.org/dc-14/video/Defcon14-V42-Jared_DeMott-Evolving_art_of_Fuzzing.mp4)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-form/2.5/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0053.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 53 at offset 0x9DA6 85 bytes
embedded_file_obj0059.bin
beab7113c323ee35ecc46dd04fe6c7836a7e1d2cedd524508b8e90edfb6b89f3		 pdf-embedded-file PDF EmbeddedFile object 59 at offset 0xAC69 480 bytes
XVI32U.HLP
1663d709ead4d7f372b7e1f0a30ef34e7610b7c9446e3eae24b69a49eacbc330		 pdf-embedded-file PDF EmbeddedFile object 62 at offset 0xAEA1 104592 bytes
XVI32.exe
0c3e24137784be289a27e6f88228ce117804c2bc4b5c9498cf9ca95678e543b2		 pdf-embedded-file PDF EmbeddedFile object 63 at offset 0x1EDFB 879616 bytes
javascript_obj0271_000.js
47a11af261864e11a9114c4b8341a8d88c020beda8ccb542c182f131c84bc11f		 pdf-javascript-stream PDF /JS object 271 at offset 0xCE057 123 bytes
javascript_obj0132_001.js
e3e351675eabd51ed0a9b2a42fdbd26abed2160bc835c82b759bad35673da1ea		 pdf-javascript-stream PDF /JS object 132 at offset 0x8E432 1535 bytes
javascript_obj0133_002.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 133 at offset 0x8E61E 870 bytes
javascript_obj0134_003.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 134 at offset 0x8E779 2798 bytes
stream_011_off00009e45.bin
83f00d1c41b1e9c40733e8d585d816806db1325d0b30139e1e7ad824756e1ad9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9E45 2127 bytes
stream_012_off0000a1a2.js
ecf8483394da370b944a29c9fe6e967f936a6dc2401321d6f7e4c519cc950459		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA1A2 4410 bytes
stream_013_off0000a7d4.bin
07c9c7a0cedc7ade5cfada184c65cf01513c940b63bf164df254c73a81e9ccc4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA7D4 201 bytes
stream_014_off0000a8a0.bin
2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA8A0 2423 bytes
stream_043_off00096ce6.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x96CE6 367087 bytes
stream_074_off000d5d69.bin
35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD5D69 557168 bytes
generic_stage_recovery_000.js
ac7d69f0d4c5ac06bccc4c21ecf6b4c6374f4066dda927eb42ce2d5fdb5f5862		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0x1EDFB at offset 0x1EDFB 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off000019e4.bin
1489ea6e627ac8437f3b1545090c796f020941d414776de8ba46e384f1cbdb6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19E4 20485 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.