Malicious PDF — malware analysis report

Static analysis result for SHA-256 a008085e0f9352ff…

MALICIOUS

PDF

244.1 KB Created: 2011-04-25 22:48:14 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: f8c670662bc2043664269671fb9a2288 SHA-1: af0afc7a014a8bd550d4779393b197e54210e6ac SHA-256: a008085e0f9352ff061f509beaac725542ae89a8142320824dfda142010bde45
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file exhibits multiple high-severity heuristic firings, including embedded files, JavaScript, and RichMedia (Flash), strongly suggesting malicious intent. The ML classifier also flagged it with high confidence. The presence of embedded objects and JavaScript indicates a likely attempt to execute code or exploit vulnerabilities upon opening the document. While specific IOCs like URLs are benign, the overall structure and heuristic findings point to a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9906

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2bbe69c5e9b01e09ead01d39980623115955d79663f86ee38c3e26d62468aede		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x380F 163 bytes
embedded_file_obj0002.bin
2db2fcfa6c7f0b58af35cd0b7a546eab3e22594fa9e6a322d8448248c1371742		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x38FF 1683 bytes
embedded_file_obj0003.bin
6824595d40fe37ff3a17665623abb424df29f2bf3924106e83b1192a2fc6fa0d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3C21 784 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3E15 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x3EE6 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4260 200 bytes
embedded_file_obj0007.bin
41b90835819d2fc9adfbed1f624b97daf557be436627d29ad24fdfcbedc74198		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4353 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x452B 56 bytes
stream_002_off000003d6.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D6 1363 bytes
stream_003_off000005b3.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B3 902 bytes
objstm_0041_00.bin
cc0d110077f81314ac59a491675430d25faa86bdc2526ed35971cf361ac83464		 pdf-objstm-decoded PDF /ObjStm 41 0 obj (inflated) 1575 bytes
font_00_sfnt_off00020d8c.bin
6de5a2f605a4c9c80907af876c927e4433ebf8ebd2d31721676e3c04a68b498c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20D8C 195024 bytes
font_01_sfnt_off00028089.bin
513e9014c1d01db064f0f5db0e4dd40101d35f5229d6f5ab3a5f1468fecabc90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28089 23736 bytes
polyglot_child_pdf_off0000c71d.pdf
317f48d55c44c774778b204b8448d8830d10999ebe56e64b12e30ee91aab33ee		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC71D 198940 bytes
polyglot_child_pdf_off0003b84c.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3B84C 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.