Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1010265c1a13c10…

MALICIOUS

PDF

149.1 KB Created: 2011-09-20 10:38:42 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: 0a630bbaa1691ed10540048bd5b4cf04 SHA-1: 69e290d97fcb7ee4443e895283ef5b86fa22bee5 SHA-256: b1010265c1a13c1047877c9a8fb37265e61309a24a1a7c2e7e6d8709c47d2f4f
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF exhibits multiple high-severity heuristic firings, including embedded files, JavaScript, and RichMedia (Flash), strongly indicating malicious intent. The ML classifier also flagged it with high confidence. The presence of embedded files and JavaScript suggests the PDF is designed to download and execute further malicious content or exploit vulnerabilities within the reader application. The benign URLs found are likely standard PDF metadata namespaces.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9869

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
3000b3469a8bd553f177da3f507a5ea2271a3dee1fd5d5343f41950837af583c		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x3B36 163 bytes
embedded_file_obj0002.bin
66b82b096ae83103365f40b9b767a5582b0a497e4589e7b9323eac0320c61808		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x3C27 1670 bytes
embedded_file_obj0003.bin
e763ac63c3d21786709e7f462b463575525d0e344202f42dbb96897a01541e78		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3F43 785 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x4138 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x4209 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4583 200 bytes
embedded_file_obj0007.bin
4273cd319df227c91b92e5509527bb4f6e1abfb3aa2beec2fb2adb93a8671f62		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4676 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x484D 56 bytes
stream_002_off000003ed.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3ED 1363 bytes
stream_003_off000005ca.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5CA 902 bytes
objstm_0047_00.bin
856830b101f28eaa61f2ccb44204fecaa2d0a9658055009fda363a9d3056ff76		 pdf-objstm-decoded PDF /ObjStm 47 0 obj (inflated) 2543 bytes
font_00_sfnt_off0001165e.bin
08de78d09a60651c0493295b11541a182148cae00c8ac28271859cbc322a21fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1165E 5076 bytes
font_01_sfnt_off00012995.bin
00cc5caa580cb53a6a994086efd0a2310c57451ac28fd2794d4958c98d7002b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12995 58928 bytes
polyglot_child_pdf_off0000f48f.pdf
7d2648df1fab061658b1e2cbc1940dd29effd449397e747c6db201685ef59f0c		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xF48F 90068 bytes
polyglot_child_pdf_off00023c76.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x23C76 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.