Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae8217a863c64a9d…

MALICIOUS

PDF

294.7 KB Created: 2011-09-20 10:38:42 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: 01a1caa4ba9ec050ba8ceafe26998577 SHA-1: b1670be0800ffb04f81ead152db8f25fbb9e0a0c SHA-256: ae8217a863c64a9d188ed9997b95eb09566ea45f53261cc165ed637a8662b4dc
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The critical ClamAV detection and ML classifier score strongly indicate malicious intent. The PDF contains embedded JavaScript and RichMedia (Flash) content, suggesting it's designed to exploit vulnerabilities or trick the user into executing malicious code. The presence of embedded files further supports its role as a dropper. The specific ClamAV signature 'Pdf.Dropper.Agent-7292982-0' points to a dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Dropper.Agent-7292982-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7292982-0
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
3000b3469a8bd553f177da3f507a5ea2271a3dee1fd5d5343f41950837af583c		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x3B36 163 bytes
embedded_file_obj0002.bin
66b82b096ae83103365f40b9b767a5582b0a497e4589e7b9323eac0320c61808		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x3C27 1670 bytes
embedded_file_obj0003.bin
e763ac63c3d21786709e7f462b463575525d0e344202f42dbb96897a01541e78		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3F43 785 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x4138 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x4209 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4583 200 bytes
embedded_file_obj0007.bin
4273cd319df227c91b92e5509527bb4f6e1abfb3aa2beec2fb2adb93a8671f62		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4676 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x484D 56 bytes
stream_002_off000003ed.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3ED 1363 bytes
stream_003_off000005ca.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5CA 902 bytes
objstm_0047_00.bin
856830b101f28eaa61f2ccb44204fecaa2d0a9658055009fda363a9d3056ff76		 pdf-objstm-decoded PDF /ObjStm 47 0 obj (inflated) 2543 bytes
font_00_sfnt_off00010cb0.bin
02813101e3e960192409cf3bb73056c33ef2fa87c7d5d334a5c2d3e489e34e2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB0 56428 bytes
polyglot_child_pdf_off0000f48b.pdf
4148d13d312be303a0d23fb5e179963474216a0f996e236085329f1b1e42ccaf		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xF48B 239199 bytes
polyglot_child_pdf_off000482fb.pdf
9a95102ad6b4d58a9a742832f61490a27e9b62855fe295b13214addfda321ad3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x482FB 6127 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.