Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fd0b536faa47bb6…

MALICIOUS

PDF

125.8 KB Created: 2005-02-07 00:19:52 +09:00 Authoring application: Acrobat Distiller 5.0 (Windows)
MD5: c1916714ff931a6acf43c29c952034e8 SHA-1: 9f0d93d3e5d6e9459530d6c8c07233ca79fd631d SHA-256: 9fd0b536faa47bb669530a4e5b244509b767dde28bdb580b59e7d42944f4df2c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits suspicious static findings, including multiple PDF length mismatches and an xref offset mismatch, indicating potential obfuscation or malicious structuring. The presence of embedded PDFs further suggests a multi-stage attack. While no specific exploit or payload is directly identified, the overall structure and heuristic firings point towards a malicious document designed to deliver a secondary exploit or payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0046

Heuristics 2

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00002f8f.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2F8F 3144 bytes
icc_05_off00015f8f.icc
eda03c8910c87b8a3e3c1ffbc35d223da8ae1d0dcfbad0c153c4eefbff436723		 pdf-icc-profile PDF ICC profile at offset 0x15F8F 1328 bytes
font_00_sfnt_off0001cccb.bin
24738c45967cac7f523ffafd788c8746c5dd1c89d29b9ebb6128b53392fda625		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CCCB 6916 bytes
font_01_sfnt_off0001e383.bin
20284bc5689a454eb9b3dcabbab03115f80a474cbbccbeb4045bafb7dd947cf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E383 3004 bytes
polyglot_child_pdf_off0000448b.pdf
06fa7bedec2b14e0c6dcd3a1e3745ed9aa05ad18d416033051dc84015fbb9b74		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x448B 111221 bytes
polyglot_child_pdf_off00008e91.pdf
ef1cf323a1c7baabd8959ab83c75717999e148dc89c60a6a2ca85ec30e4ad549		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x8E91 92271 bytes
polyglot_child_pdf_off0000d0c0.pdf
422ebea2e7fe85debf549731f348286bc2f85d46c5d69ddfb405a93e7b26ee05		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xD0C0 75328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.