Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5dac02994a4a425…

MALICIOUS

PDF

1.42 MB Created: 2010-01-15 14:57:36 +08:00 Authoring application: Adobe Acrobat 8.1 Combine Files (via Adobe Acrobat 8.1)
MD5: 274feea15aeb49fead0dc0247cee395c SHA-1: 609aaaeda7ff75d07df5777bc0bcc9ce66d8093d SHA-256: a5dac02994a4a4255d7d3b520d46cb0508c69caaa83f0cd415dc37cd282edc82
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains embedded JavaScript and an embedded PDF file, indicating an attempt to deliver a malicious payload. The 'PDF_IMAGE_ONLY_LURE' heuristic suggests the document may be visually deceptive to encourage user interaction. The embedded JavaScript is likely responsible for triggering the opening of the embedded PDF, which itself has suspicious static findings. The benign URLs extracted do not provide further clues.

Heuristics 6

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0136_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 136 at offset 0x65A 1946 bytes
stream_028_off00053101.bin
cd7ac667e3922658a3af2b76802ea53c6866f2b3f7273b35c1fb225b3feef55c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x53101 26720 bytes
stream_033_off0006a808.bin
3df43e16b9aa9cfc009c19c0aa407a16dbe3904b7f23f1234019fe1b816f1704		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6A808 26113 bytes
icc_00_off0001e748.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1E748 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.