Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2ef1063dd89641b…

MALICIOUS

PDF

934.1 KB Created: 2010-06-23 21:51:06 +08:00
MD5: 998c1b62b9f4f47367a98be898841fba SHA-1: 064e88b7482fe135b28862d0ee151595effb3d38 SHA-256: a2ef1063dd89641bae1f0622a7d583edd77db572244cd0cb5dc3a8adbee26ab4
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The PDF contains embedded JavaScript and RichMedia (Flash) content, indicating an attempt to exploit vulnerabilities or deliver a payload. The ClamAV detection 'Pdf.Dropper.Agent-6334749-0' strongly suggests this is a dropper. The presence of embedded files and JavaScript, along with the 'unescape()' and 'String.fromCharCode()' calls, points to obfuscation techniques used to hide the malicious payload. The primary function appears to be downloading and executing a secondary stage, characteristic of a dropper.

Heuristics 11

  • ClamAV: Pdf.Dropper.Agent-6334749-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-6334749-0
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0013.bin
559f1037c3c1786a2ceeb2463473e036f1a9f2ba12f5fde7a49e60fabe826be4		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0xDF32A 163 bytes
embedded_file_obj0014.bin
9e5c5c43ec50633f569115c2f1519add09019029e360cd265fc7675a20849d45		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0xDF41D 1511 bytes
embedded_file_obj0015.bin
498d987c30c08c76760d3944415bd89ca82e990a236a9b9c65f810ead6b4b8ac		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xDF6F7 6329 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0016.bin
9cb5f75badb1b344316dc0e14d2def9d7b8313f1214cd11c78612a81bda53540		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0xE015B 156 bytes
embedded_file_obj0017.bin
7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0xE022C 3023 bytes
embedded_file_obj0018.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0xE05BE 200 bytes
embedded_file_obj0019.bin
aa76ce2d3306dc20f8d639a2e335b72586ab2932708999a39c564b8aac33cbf2		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0xE06B2 835 bytes
embedded_file_obj0020.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0xE088C 56 bytes
stream_002_off0000048f.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48F 1367 bytes
stream_003_off00000675.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x675 902 bytes
objstm_0088_00.bin
ec3642632bcbdba01d5695befa908792519171118a460515649ac864f7423a29		 pdf-objstm-decoded PDF /ObjStm 88 0 obj (inflated) 2028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.