Malicious PDF — malware analysis report

Static analysis result for SHA-256 adee602844e6e01f…

MALICIOUS

PDF

256.5 KB Created: 2009-06-03 22:02:55 +02:00
MD5: 48eca0f341c90db53bcd15f44f70b408 SHA-1: 256e977901756b905471494e10e71394897dbd9b SHA-256: adee602844e6e01f5ea3fc03ba0012e4d4485d9637b3a22af892d5d0805cd19a
186 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell

The primary indicator of malicious intent is the 'Clipboard command execution lure' heuristic, which suggests the document instructs the user to interact with the command line using clipboard content. While no scripts were directly analyzed for malicious behavior, the presence of embedded JavaScript and an extracted file detected by ClamAV as 'Win.Worm.Z-5' strongly supports a malicious payload delivery. The embedded URL to kaspersky.com appears to be a benign reference within the document's metadata.

Heuristics 8

  • ClamAV: Win.Worm.Z-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Z-5
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0231_000.js
9c52908a0f7d9f200f31493ce0a4e6beb588f29e6b31af65d3b2f281fb5efea1		 pdf-javascript-stream PDF /JS object 231 at offset 0x2132F 1450 bytes
stream_058_off000243ef.bin
0bf2dd3d1672f3f2a895ecb8f0d585f2750034bfc52caeba62d1161841ba7704		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x243EF 113135 bytes
Detection
ClamAV: Win.Worm.Z-5
Obfuscation or payload: unlikely
objstm_0248_00.bin
c55d5a629ea7140e145e849253ebf980f0b84c980aff259e91d0557a79bc891f		 pdf-objstm-decoded PDF /ObjStm 248 0 obj (inflated) 7199 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.