Malicious PDF — malware analysis report

Static analysis result for SHA-256 afb161c2dfefbdfe…

MALICIOUS

PDF

1.06 MB Created: 2009-03-25 14:49:00 Authoring application: LaTeX with hyperref package + hypdvips (via dvips + GPL Ghostscript 8.64)
MD5: 524157a2799b04bdc223fcd4a0891428 SHA-1: 12470c725abe9ccc6ddb4805ef9d2c0788855b8a SHA-256: afb161c2dfefbdfe82952a2a258be6dba1af0220e3235c7ffe7881e3e6ffec49
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

This PDF file contains embedded JavaScript and a hidden ZIP archive with an executable payload named 'md5sums.exe'. The JavaScript is likely designed to extract and execute this payload, serving as a downloader for a second-stage malicious artifact. The presence of a hidden executable payload within an embedded archive strongly suggests a malicious intent to deliver malware.

Heuristics 9

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • Remote GoTo action medium PDF_GOTO_REMOTE
    PDF references a remote or embedded document via GoToR/GoToE with an extension-less or unresolved target
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf
    • http://www.adobe.com/devnet/acrobat/downloads/Acrobat_SDK_readme.html#Known_Issues
    • http://www.iana.org/assignments/media-types/
    • http://tools.ietf.org/html/rfc2046
    • http://www.ctan.org/get/macros/latex/contrib/xcolor/xcolor.pdf
    • http://tools.ietf.org/html/rfc1321
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
rfc1321.txt
284a79d148400d9cd2a423211d1103b5cef0fb9256a4cbe6d7ebe5197c3149dd		 pdf-embedded-file PDF EmbeddedFile object 33 at offset 0x8EA10 35222 bytes
rfc2046.txt
7ac4096b9263e11a704f06892638258ac1ddc0394dd75ffdc171e7b5ba0123e0		 pdf-embedded-file PDF EmbeddedFile object 35 at offset 0x91627 105854 bytes
md5sums-1.2.zip
1c1ec44780169fed0202a92c219bc062fc0286fae4b4edd63cbbf7bfcf672987		 pdf-embedded-file PDF EmbeddedFile object 184 at offset 0x99075 28761 bytes
bibdat.bib
99049ac0e51abb0d0147f385554ac5f5e0d24ba4bc85cd2d2caa84d467fd77ee		 pdf-embedded-file PDF EmbeddedFile object 238 at offset 0xA036C 1369 bytes
hypdvips.tex
42a0198b312dbf35be34edfc8d92bfd6beb6c8204a949f72b2d05d443fd29457		 pdf-embedded-file PDF EmbeddedFile object 272 at offset 0xA081B 51763 bytes
javascript_obj0001_000.js
a8b4855f1c718c68f6494d850d542168d7a75f4d42067e38f810aa2beed45f10		 pdf-javascript-stream PDF /JS object 1 at offset 0x18D2D 1761 bytes
javascript_obj0099_001.js
755fba24206aa27cbd02d69fc7a89486d38697fd2e31dfa013e3cd98642cb555		 pdf-javascript-stream PDF /JS object 99 at offset 0x1BFEF 740 bytes
javascript_obj0101_002.js
c96f14833646e0db55e42643e004c3a82900fcff82048b8ec1ef9d6d9d18ad5b		 pdf-javascript-stream PDF /JS object 101 at offset 0x1C45A 62 bytes
javascript_obj0104_003.js
f3a86607eeb9afa49ece1cec20178aac505f020c6548c31cdf25f6d16df13493		 pdf-javascript-stream PDF /JS object 104 at offset 0x1C551 62 bytes
javascript_obj0105_004.js
336fc05ee66c80600c56757838d2493c32572fa1d081cf8eef721168066febb3		 pdf-javascript-stream PDF /JS object 105 at offset 0x1C649 740 bytes
javascript_obj0107_005.js
ab093fa9db989e501e52b199210d9229fa2eb61a5628daffc55521d5fb96ae30		 pdf-javascript-stream PDF /JS object 107 at offset 0x1CAB9 62 bytes
javascript_obj0108_006.js
dcbf1f0030904f24d63d591426194760ca2cec25f71004fb79a67340068d999b		 pdf-javascript-stream PDF /JS object 108 at offset 0x1CBB2 62 bytes
javascript_obj0109_007.js
6805c51125a929df043606add496f5809f7252e245ead248473a029c716a0520		 pdf-javascript-stream PDF /JS object 109 at offset 0x1CCAC 911 bytes
javascript_obj0112_008.js
a7cc90dcdf3b8563e24dd12cc98d746dea147be69cb99530810e62bdb5f9ba26		 pdf-javascript-stream PDF /JS object 112 at offset 0x1D275 740 bytes
javascript_obj0114_009.js
11baa496068eb8b4c937b5f61b6bbed33a93c9500e9618e86ee31d7000028484		 pdf-javascript-stream PDF /JS object 114 at offset 0x1D6E5 62 bytes
javascript_obj0115_010.js
eb90683da5b6a04e69b7d844069afdbec36f7407bbb01cde84840cc297a4e5a0		 pdf-javascript-stream PDF /JS object 115 at offset 0x1D7DE 62 bytes
javascript_obj0116_011.js
f07c19772ebf33c3479921c8e5c29b155effb5f28b1ec26247319cc13ea5af40		 pdf-javascript-stream PDF /JS object 116 at offset 0x1D8D8 911 bytes
hidden_pdf_zip_off0009907c.zip
899d850b5b8a867cdf2e97df1f3d4440de8f2980acbdcc78091d80816774395c		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x9907C 28699 bytes
font_00_cff_off00074e9f.bin
bf0030b141d5f4b38af77c9debdd3b8c72f678de11726196385f799a0f3593f8		 pdf-font-stream PDF embedded font (cff) at offset 0x74E9F 3696 bytes
font_01_cff_off00075bd2.bin
239b81a4a8f674a9acb8e9c7519cb58a513c6bfd69edd250d3648267ab9cc014		 pdf-font-stream PDF embedded font (cff) at offset 0x75BD2 7830 bytes
font_02_cff_off00077320.bin
cef3acd5fd750a3ea9f8724bf6b54026c7bd6b8bdd918bfa0c17107b70e7014a		 pdf-font-stream PDF embedded font (cff) at offset 0x77320 564 bytes
font_03_cff_off00077679.bin
fe213ef4e95c0f240dc3a7f57861252b788e80b85f82a0b4e4a9fe26b4678428		 pdf-font-stream PDF embedded font (cff) at offset 0x77679 622 bytes
font_04_cff_off00077a1a.bin
d69056ced0c0c95db100edb07e6e117403496086e048e149e20ec938f0cd0b01		 pdf-font-stream PDF embedded font (cff) at offset 0x77A1A 1056 bytes
font_05_cff_off00077eab.bin
837ab209acdc3b69828e671d8bf90cebb0b3272fd83191d8e66fea89a62b4551		 pdf-font-stream PDF embedded font (cff) at offset 0x77EAB 327 bytes
font_06_cff_off00078205.bin
a8983a70d45d472afa372d9e6de557c1b62cdd5c5a1076f6611851b1e9faf539		 pdf-font-stream PDF embedded font (cff) at offset 0x78205 6729 bytes
font_07_cff_off000798db.bin
e9ba792d52ac4204eb7dbfb53cb50a9f368a41d39f171f22099a86d0a54770c0		 pdf-font-stream PDF embedded font (cff) at offset 0x798DB 9883 bytes
font_08_cff_off0007b7bb.bin
b64fbeee391935453d8d90461b6348708923708a90c46fd35124cc5257f5de65		 pdf-font-stream PDF embedded font (cff) at offset 0x7B7BB 2003 bytes
font_09_cff_off0007bfca.bin
69d6f358c06d1d363c4e7339e7d65d868e63b23c610ce66e2b452cb37aee9c73		 pdf-font-stream PDF embedded font (cff) at offset 0x7BFCA 3594 bytes
font_10_cff_off0007cc8b.bin
2e14c77a63bfb30546041d4690da19ab34bcbd71b92c9596a99cff46b8fbbf85		 pdf-font-stream PDF embedded font (cff) at offset 0x7CC8B 246 bytes
font_11_cff_off0007cedb.bin
452dfc5f998db082f6d1c8acc62b7ed6ecb7c164b405a939d8424f2458d57b91		 pdf-font-stream PDF embedded font (cff) at offset 0x7CEDB 1781 bytes
font_12_cff_off0007d6ef.bin
1c9ff49224969e9d4fa6ab936d418dc245539b2aa61a25f787a3cf841920da0d		 pdf-font-stream PDF embedded font (cff) at offset 0x7D6EF 4694 bytes
font_13_cff_off0007e782.bin
0866b3609b866f2ea272636820c41565b9b6490c238c3a189bd660f3abc1f2fd		 pdf-font-stream PDF embedded font (cff) at offset 0x7E782 5710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.