PDF malware analysis — malicious · a7db298ac96b8abf

MALICIOUS

PDF

271.3 KB Created: 2011-09-20 10:38:42 +08:00 Authoring application: Writer (via OpenOffice.org 3.0)

MD5: 9c8b40b7352772468eaa0a46896e3acd SHA-1: bb16486c3612c14257f77e3de4e669ff1f5f8541 SHA-256: a7db298ac96b8abf19aa271089917922e4912fcbfae87222b14b8628a07ee105

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and RichMedia (Flash) content, indicating an attempt to execute malicious code. The ML classifier strongly flagged this PDF as malicious. Additionally, a secondary embedded PDF was found with suspicious static findings, suggesting a multi-stage attack. The presence of embedded files further supports the delivery of additional malicious components.

Machine Learning

Nyx PDF Classifier malicious score 0.9319

Heuristics 7

Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 21

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `3000b3469a8bd553f177da3f507a5ea2271a3dee1fd5d5343f41950837af583c`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x3B36	163 bytes
`embedded_file_obj0002.bin` `66b82b096ae83103365f40b9b767a5582b0a497e4589e7b9323eac0320c61808`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0x3C27	1670 bytes
`embedded_file_obj0003.bin` `e763ac63c3d21786709e7f462b463575525d0e344202f42dbb96897a01541e78`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x3F43	785 bytes
`embedded_file_obj0004.bin` `720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x4138	150 bytes
`embedded_file_obj0005.bin` `c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x4209	2955 bytes
`embedded_file_obj0006.bin` `4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x4583	200 bytes
`embedded_file_obj0007.bin` `4273cd319df227c91b92e5509527bb4f6e1abfb3aa2beec2fb2adb93a8671f62`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x4676	835 bytes
`embedded_file_obj0008.bin` `4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x484D	56 bytes
`stream_002_off000003ed.js` `529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3ED	1363 bytes
`stream_003_off000005ca.js` `e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5CA	902 bytes
`objstm_0047_00.bin` `856830b101f28eaa61f2ccb44204fecaa2d0a9658055009fda363a9d3056ff76`	pdf-objstm-decoded	PDF /ObjStm 47 0 obj (inflated)	2543 bytes
`font_00_sfnt_off0001890a.bin` `b1186ff37a3c9f7b2c928ad9c9888c7893f4ce0746120e1ad6b6e8c2e938d9b2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1890A	24280 bytes
`font_01_sfnt_off0001b804.bin` `533285a119d959917650831277517303b88e816b1ac0d9d29fdfe175a005df0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B804	23512 bytes
`font_02_sfnt_off0001e618.bin` `cfd8475624654acefe85dfed82dabe01906f123e364aa1043e26d7815b7265f5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E618	37416 bytes
`font_03_sfnt_off00021c5f.bin` `0aca7df95dcc86e1ee961d72a8316f4314891022e651e5649e02bd07e325e1e4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21C5F	7004 bytes
`font_04_sfnt_off00022baf.bin` `6008a9d66a5a26f63099e836fb46d1e6408c720b10be519487445e78257fb3dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x22BAF	9468 bytes
`font_05_sfnt_off00024498.bin` `7f093fca39948530543734ff098c12a2410e2c565109727b2b006309c9fc7f82`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x24498	108332 bytes
`font_06_sfnt_off0003360d.bin` `74b5532c87e7d8e4dc95be4b47cdbd547d3ff3a61b708e44ec1d542ed6254361`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3360D	94596 bytes
`font_07_sfnt_off000403b1.bin` `373f2f00eb3b2be1a03d93c2590348ffe971338e657483664849e396363d81eb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x403B1	10340 bytes
`polyglot_child_pdf_off0000f4a7.pdf` `6646565e11a61d6aaaf25e69094c84229334aabf7f6288b59d8432174314ba06`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0xF4A7	215210 bytes
`polyglot_child_pdf_off00042564.pdf` `0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x42564	6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.