Malicious PDF — malware analysis report

Static analysis result for SHA-256 adddd63000a454a6…

MALICIOUS

PDF

41.4 KB Created: 2012-08-14 08:27:41 +04:00 Authoring application: Adobe Designer 7.0
MD5: cd8801ac34fe063bcd7b32a90262f39e SHA-1: db418e4afdd97824e514cb85d42a2b23ae635993 SHA-256: adddd63000a454a63bdc1f5e042579b4b03d9a12fc79b0615cff82e2948635a8
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The ML classifier strongly indicates maliciousness, supported by heuristics for embedded script payloads and embedded files within the PDF. The presence of XFA forms and AcroForm buttons suggests an attempt to exploit PDF features for malicious purposes. While no specific script content was readable, the embedded nature points to a delivery mechanism for a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0040.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 40 at offset 0x7233 85 bytes
embedded_file_obj0041.bin
74e72782865ff6ca138226514e62c892ce7dcb4e146b07a6eb94a7cc83c4db41		 pdf-embedded-file PDF EmbeddedFile object 41 at offset 0x72E5 1528 bytes
embedded_file_obj0042.bin
d9fb0009fc2fa09ab87f36668e30a3dc751e1d011a17acbaa949a87843daa595		 pdf-embedded-file PDF EmbeddedFile object 42 at offset 0x75B8 9533 bytes
embedded_file_obj0043.bin
3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169		 pdf-embedded-file PDF EmbeddedFile object 43 at offset 0x8508 144 bytes
embedded_file_obj0044.bin
016667cb6db3d4b5e9108b64d752c9bc222c236e42ffdd4ba2fbfa079602415b		 pdf-embedded-file PDF EmbeddedFile object 44 at offset 0x85CB 9159 bytes
embedded_file_obj0045.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 45 at offset 0x8C58 212 bytes
font_00_cff_off00001330.bin
23831e143e2e1a484b95ee765b15d94562c951468b895c080e655667dc04ddf0		 pdf-font-stream PDF embedded font (cff) at offset 0x1330 31178 bytes
font_01_cff_off00008dbd.bin
3da4a61fc2f019caf27fe53ec3149540f8999f0bdcd7f482c3686989aac4a211		 pdf-font-stream PDF embedded font (cff) at offset 0x8DBD 1192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.