Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2829ca7e4869345…

MALICIOUS

PDF

665.2 KB Created: 2010-02-15 12:17:47 -05:00 Authoring application: Acrobat PDFMaker 8.1 for Microsoft Outlook (via Adobe PDF Library 8.0)
MD5: cdc2d40372c107d6b9ce523400fbbf7b SHA-1: 52882e8a7fb81908de3a192cdf893c3065d01983 SHA-256: a2829ca7e4869345d2e9f1c77f4956f3dc64de50cb21e8172a1251f363fdf64b
276 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and a ZIP payload with an executable file named 'document.doc.exe'. The embedded JavaScript likely facilitates the download and execution of this payload. The presence of a ZIP archive containing an executable within a PDF is a strong indicator of malicious intent, aiming to trick the user into executing the embedded file. The ClamAV detection further supports the malicious nature of the file.

Heuristics 11

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • ClamAV: Win.Trojan.Suspect-32 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Suspect-32
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.adobe.com/products/acrobat/readstep2.html)/S/URI/IsMap
    • http://www.adobe.com/products/acrobat/readstep2.html

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0247.bin
5640e37fdbd19e1d85e2fa213a3b7f81c7015e69cbc69f5f0f2a139ac6f67a06		 pdf-embedded-file PDF EmbeddedFile object 247 at offset 0xC31E 379197 bytes
Detection
ClamAV: Win.Trojan.Suspect-32
Obfuscation or payload: unlikely
javascript_obj0155_000.js
6a10e0cabe101a2c27868253180f294e4e53228d189d9d07eb99b4b663066e1d		 pdf-javascript-stream PDF /JS object 155 at offset 0x69136 146 bytes
stream_005_off0006b15e.bin
84c82c7b7f990599df559ac40d823188e532c68c6eded107838492fdffb11b41		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6B15E 383782 bytes
font_00_sfnt_off00005fc1.bin
4d34740e2bff29cbbfb76718b1b2970e9302a6eee00f02788d03c86f47f8a5fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FC1 47824 bytes
stream_011_off00006c1c.bin
2caa7550d61c0aaf09764203f38c804fc0ec62d59fe7aed7da8d9f637394e770		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6C1C 668128 bytes
Detection
ClamAV: Win.Trojan.Suspect-32
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
stream_015_off000a473a.bin
4389348ff11e225b636a36548a78cce35a4b25487a76bce191b364f8b41fbc12		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA473A 23558 bytes
icc_00_off000046fa.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x46FA 3144 bytes
font_00_cff_off00001b0e.bin
5e5d2cbabc995740b019cb0c5127bbab328ccc709469618e5e200a6d6f53dbdd		 pdf-font-stream PDF embedded font (cff) at offset 0x1B0E 2083 bytes
font_01_cff_off0000281e.bin
5eff8bf8cc14b7c8264a4c4600a967db515a9954b09974206ba811cd806be20b		 pdf-font-stream PDF embedded font (cff) at offset 0x281E 3582 bytes
font_02_cff_off00003a82.bin
03f004927ca314ec5dd7da0be0d26dd0196a80bb4e478c7921660dd83737b631		 pdf-font-stream PDF embedded font (cff) at offset 0x3A82 3343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.