Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae0cabf88a6f5790…

MALICIOUS

PDF

468.0 KB Created: 2007-09-18 14:27:28 -05:00 Authoring application: Adobe Acrobat 8.0 Combine Files (via Adobe Acrobat 8.0)
MD5: 0ecc5c31762016853367569bb88a5495 SHA-1: e444e91a1cd8ff015493e473f50182058d54f490 SHA-256: ae0cabf88a6f5790aa76e34d51efb6c99166d59b80f686c672c1d489c06383a6
112 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file contains multiple JavaScript streams and an embedded PDF, indicating a multi-stage attack. The embedded JavaScript is likely responsible for downloading and executing a secondary payload. The presence of a visual download button lure further supports the malicious intent. The embedded PDF itself contains suspicious static findings, including JavaScript actions and form buttons, suggesting it is part of the malicious workflow.

Heuristics 10

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adobe.com/products/acrobat/readstep2.html)/S/URI/IsMap
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.adobe.com/products/acrobat/readstep2.html

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0101_000.js
f979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10		 pdf-javascript-stream PDF /JS object 101 at offset 0xC71 1604 bytes
javascript_obj0102_001.js
3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76		 pdf-javascript-stream PDF /JS object 102 at offset 0xE5A 902 bytes
javascript_obj0103_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 103 at offset 0xFC5 2798 bytes
font_00_cff_off00002361.bin
e0b74124f131f1d8e85f1769181d3cdcb2b3a1f2d5d9fac5b13777fc512f46a7		 pdf-font-stream PDF embedded font (cff) at offset 0x2361 85952 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
javascript_obj0072_000.js
736c69993d4cd953676f5971bd943955c344f3001c77f281afd5d8df5a456b51		 pdf-javascript-stream PDF /JS object 72 at offset 0x728 1379 bytes
stream_014_off00031807.bin
7fa7ca82c85860b038d842b248b6b2e52b60380b439786a9ebe886595fd24c60		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31807 73774 bytes
icc_00_off00002785.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2785 3144 bytes
font_00_cff_off000031e9.bin
03f004927ca314ec5dd7da0be0d26dd0196a80bb4e478c7921660dd83737b631		 pdf-font-stream PDF embedded font (cff) at offset 0x31E9 3343 bytes
font_01_cff_off00004171.bin
5eff8bf8cc14b7c8264a4c4600a967db515a9954b09974206ba811cd806be20b		 pdf-font-stream PDF embedded font (cff) at offset 0x4171 3582 bytes
font_02_cff_off00005224.bin
5e5d2cbabc995740b019cb0c5127bbab328ccc709469618e5e200a6d6f53dbdd		 pdf-font-stream PDF embedded font (cff) at offset 0x5224 2083 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.