Malicious PDF — malware analysis report

Static analysis result for SHA-256 a071870c1c5f8c94…

MALICIOUS

PDF

17.04 MB First seen: 2022-02-24
MD5: 3f94df9e22f2af2e9daa36fe415c770f SHA-1: 57e805f4c0a7a241c01e1b18be8806cb6e82cc01 SHA-256: a071870c1c5f8c94eddcef52d2f509ebb3c31e198a4286563d10bbeea6bd7e22
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a high number of streams, indicating obfuscation or a heap spray. A generic JavaScript exploit stage was recovered, which is likely responsible for downloading and executing a second-stage payload. The presence of a recovered JavaScript file suggests a malicious script execution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4078

Heuristics 6

  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://en.wikipedia.org/wiki/MIT_License
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/Typography/0

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off0000fb36.bin
3cf148211ac28e128cb99bc7e41d23aa915766ed6a0431691f3a0a54385309aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFB36 84528 bytes
stream_065_off00040417.bin
0872cd1f32ec306041f03bf5e5966c4a01db8f296d4d7645a0c6afd658ac91b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40417 297800 bytes
stream_073_off000576e3.bin
a9844a614403b3f3722037f1054cd117d5c9146c7f5ff02345809ef02ccb3715		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x576E3 267476 bytes
stream_078_off00071808.bin
da9be0f1880f923a8553ff4308105029d8bbf58f635fd976a2b8040afe63e6fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x71808 4145 bytes
generic_stage_recovery_000.js
4e97ef6d70a21ca1592d37a6f9cce8db00395491959c9ce0940bac6b3220609b		 deobfuscated-js generic stage recovery null-collapse -> marker-Bb-to-%u from decompressed stream at 0x1947F at offset 0x1947F 30268 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
font_00_sfnt_off0007bc88.bin
576730f0490f361002be5077741ba38a91ddf7258995d945a68bda542a664c13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BC88 62761 bytes
font_01_sfnt_off00085423.bin
bab1502b13d63387ba9b21c18fd8d0f90156f46cc58edce1d6133cc4218e9dd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85423 70360 bytes
font_02_sfnt_off0008d85d.bin
32bec41edae25a83ce8f5c5ce40a2bbd37d9e7522e6d02e33e6b211c9e34e165		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D85D 82773 bytes
font_03_sfnt_off0009ba56.bin
232b2d442c08f4bad8a1da8561538788a75697635ac25f1ac969b96a79976286		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BA56 50694 bytes
font_04_sfnt_off000a45dc.bin
7d89901f563c5e4d2dc18f525c08d2291eddd053b19cae829d4fba314a418235		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA45DC 63924 bytes
font_05_sfnt_off000c5a08.bin
3adb97d75682ad1955b51a2a082c9bd6d1518d36074b3e188bc62171b8207445		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5A08 62761 bytes
font_07_sfnt_off000e6e32.bin
f65dd1404d5df7a767099543ed6e8724abdbe5400a19d4f2551af153b72cdac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6E32 84436 bytes
font_08_sfnt_off00101f52.bin
1da862d961718f5ef45847b3aa57eb36389cf5863a02ef5da4e9f5d425f1bd34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101F52 65216 bytes
font_09_sfnt_off001193a5.bin
d280f4ab1d5d274e21b4a6a30d2e9b1c2b3934334bc67cbff18cbf3b684e213b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1193A5 60349 bytes
font_10_sfnt_off001243fd.bin
3e26244b41e0c7ba194d7b8548668cacc696c23bde536e920b3b61f41fe61b4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1243FD 60349 bytes
font_11_sfnt_off0012e832.bin
6bdd0a85bc1a69d391de0cdc706bb635dccc17b469a454ae61f782e8d7760b42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E832 50054 bytes
font_12_sfnt_off0013e762.bin
a2ceedebf89d1cb44d1ac1c77913ccc8b27d1343073d4b67c1e10fce3865d4cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E762 65955 bytes
font_13_sfnt_off001502a5.bin
c116696b63fef517d05433bac6d958d4c9f19bb68971d4c2029cba32acc8cefc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1502A5 49864 bytes
font_14_sfnt_off00158f46.bin
4e5489992b2c3d76b3ac28747214c518aa4bb7460e76a4c484505a241bec5cb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158F46 65955 bytes
font_15_sfnt_off001642ac.bin
a3bcd7e1b2f5da8fb3e90c94885963ef4b02697f102e160ab095f3bfb7ffc627		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1642AC 51588 bytes
font_16_sfnt_off0017464e.bin
ccc1a0e1d5d22a63b222106ce33782ec3cf8ada56337a053ff687b1dc7dd964f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17464E 64581 bytes
font_17_sfnt_off00185e59.bin
fd39c9ae0505845a4e2d9b3401b072b16c27483b5aa79b9ceaa4bddbb4e7a972		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185E59 64581 bytes
font_18_sfnt_off00190dd2.bin
544ee3a4cdeb3c470df8b4321e7657eccb00bde1dc3bca3ca3076c666165620f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x190DD2 47517 bytes
font_19_sfnt_off001992b2.bin
07df50490d9af14c4009dd3952a8bbeeaf1806571b8edb10ee7b01116406ee07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1992B2 52892 bytes
font_20_sfnt_off001afd5d.bin
9e7eb0eefc78ae6e2bf76a1111d9344a884d6443e27be35c71ab78b1e44ae4d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFD5D 46867 bytes
font_22_sfnt_off001c894f.bin
2d53af2135131f8a457c6ed9a23fe61578ec472e8e7ee5cb46753cc4938bf960		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C894F 62759 bytes
font_24_sfnt_off001e25c8.bin
916312c00f9d6184c65d8c19c4b291ad21965a9ccf43b799847303ba1a98c222		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E25C8 18923 bytes
font_26_sfnt_off001ffcef.bin
f9bbddef2a3a168241eb3e1f3267004e18c1156ae86aa96c2fffb961695ca2a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FFCEF 50746 bytes
font_27_sfnt_off002076b4.bin
8b08df00deaf4c35b9b8cab3feafb4029dad7500002465f16f569b90d0edaddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2076B4 34309 bytes
font_29_sfnt_off0021a301.bin
35647e54721115745df06c327c5325a52d70794bf5be7efd813bddd8c452b7e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21A301 53296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.