Malicious PDF — malware analysis report

Static analysis result for SHA-256 a76e9adcffb99de4…

MALICIOUS

PDF

269.1 KB Created: 2010-02-25 09:23:00 -08:00
MD5: 9be122f96616a809e1d95880f177f1f7 SHA-1: 09393c7c1e040ba6bdeb6dd2d3495f30bdf38aff SHA-256: a76e9adcffb99de4c666086b8c4c1bc70db598b52d4981e94a15eb6d46c3c71e
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, specifically flagged as a dropper. The 'PDF_IMAGE_LURE' heuristic indicates it uses a screenshot as a lure, with a hidden click-outward action, a common tactic for phishing. The presence of embedded JavaScript and embedded files, along with the ClamAV detection 'Pdf.Dropper.Agent-5342605-0', strongly suggests it's designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 8

  • ClamAV: Pdf.Dropper.Agent-5342605-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-5342605-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 269 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x1BD7 85 bytes
embedded_file_obj0002.bin
52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1C89 1465 bytes
embedded_file_obj0003.bin
af16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1F44 973 bytes
embedded_file_obj0004.bin
4c87fff0298e6b6310f08213f7b3439fedd074a4e2fcb086e9c9fdaaf19170a1		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x2193 11882 bytes
embedded_file_obj0005.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x2640 2928 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x29AD 200 bytes
embedded_file_obj0007.bin
1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2AA0 835 bytes
embedded_file_obj0008.bin
8f96f8652bbe352f96051db71b660e225a5fc0ae5963e496720bd7a5634fd5d2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x2C79 291 bytes
stream_002_off000003ac.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AC 1532 bytes
stream_003_off00000597.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x597 870 bytes
stream_007_off00001141.bin
6186bf7481376005e86ab25ed2e152e26cab09bfed803e7a2418bf67cbf529e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1141 1030 bytes
stream_008_off000013b0.bin
05be3559404a8717e68e6b5884bea90b066cd04a5d42d7ddf2487abda5869e78		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13B0 2983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.