Malicious PDF — malware analysis report

Static analysis result for SHA-256 a176e9e5b61df542…

MALICIOUS

PDF

920.4 KB
MD5: 9ab155b2ddf16e2ad5bec50499194375 SHA-1: 7631e016cf789b195a850666d272d7a03880cc56 SHA-256: a176e9e5b61df542c6d075dc9a220991fbbe6604e486c479ab9af08466195be2
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript and a Flash object (Tatsumaki.swf). The presence of these embedded components suggests an attempt to exploit vulnerabilities within the PDF reader to execute arbitrary code. The embedded JavaScript stream, while obfuscated, is likely responsible for initiating the execution of the Flash content or a subsequent payload. The high ML score and the embedded Flash object indicate a high likelihood of exploit delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Tatsumaki.swf
33a3d2b4980fa54bd5e53fcbd93fc57d83141d925da4e30cd37f2f88a3181d95		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x266D 33088 bytes
javascript_obj0006_000.js
aef807b24abe25edf4cf47abd3109baa905c1e2b9e59b120cb637d52691a47a8		 pdf-javascript-stream PDF /JS object 6 at offset 0xFC 8775 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.