Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2197848e9201f80…

MALICIOUS

PDF

1.29 MB Created: 2018-08-25 08:24:58 UTC Authoring application: The AcroTeX eDucation Bundle (via Acrobat Distiller 18.0 (Windows))
MD5: a4d709920c0806f4918d6ea2b1bc59ad SHA-1: 9c4216e4311fdfc94a6994982a307cfc9a86457f SHA-256: b2197848e9201f80c47990f3bbbcaf016fd74604bc17723336e980d27e8db099
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits multiple indicators of malicious JavaScript execution, including embedded JS streams and JavaScript actions. The presence of an unusually high stream count suggests obfuscation or heap spraying techniques. While the document body is unreadable, the heuristics strongly suggest the JavaScript is designed to download and execute a second-stage payload. The URLs http://www.acrotex.net and http://www.YandY.comCMSY10 were found embedded in the document.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4061

Heuristics 9

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.YandY.comCMSY10
    • http://www.acrotex.net
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/rights/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj3623_001.js
c4a4eae17d9d40da49085df6ff28d9cc355c180d81aac0b049d008fc3871d0d1		 pdf-javascript-stream PDF /JS object 3623 at offset 0xDA335 47 bytes
javascript_obj4227_002.js
70c5a87d7b8246106d4d97a93baa049046bcf78894bcdf15b71692e57c523a45		 pdf-javascript-stream PDF /JS object 4227 at offset 0x13CC13 222 bytes
javascript_obj4239_005.js
f4320d62def081d3a01d32772e892858a4702055c17bef47cbdacd73d0ea0518		 pdf-javascript-stream PDF /JS object 4239 at offset 0x13CF5A 117 bytes
javascript_obj4244_006.js
328c084ba2a837db0ed5fb601b19878d71f7fa1a7b09f2ad8485e5093dd50fb6		 pdf-javascript-stream PDF /JS object 4244 at offset 0x13D0C2 6055 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
javascript_obj4245_007.js
92c6e56a20cdd2f2e9587844fba3be1901771cb6511824cb170c79daecba426f		 pdf-javascript-stream PDF /JS object 4245 at offset 0x13D6AF 5271 bytes
javascript_obj4246_008.js
9f39b2dcf094d49f4771fc15d61bd4c38f1c5b7fa04ba464873ced66fc3d22b3		 pdf-javascript-stream PDF /JS object 4246 at offset 0x13DC11 4863 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj4247_009.js
7628ec45b562dc3c82be88f4ab5bba0bcc0b9173d3c1b38013933e3a1355abd8		 pdf-javascript-stream PDF /JS object 4247 at offset 0x13E014 271 bytes
javascript_obj4248_010.js
22e5349d904328d09070ab8de3680fd7ad014a67e656cd4617c14c1ac7720f3d		 pdf-javascript-stream PDF /JS object 4248 at offset 0x13E125 2336 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
javascript_obj4249_011.js
3408814a8b6d024763ef816f484355ce72bda046fb5997e32599a85e8fbf10ec		 pdf-javascript-stream PDF /JS object 4249 at offset 0x13E519 2444 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj4250_012.js
90469f326cd1bbbb0fc15b78ace816b091ab141b1bea6e3057f307003f247927		 pdf-javascript-stream PDF /JS object 4250 at offset 0x13E875 17487 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 eval/decoder/string-building token(s).
javascript_obj4251_013.js
4fceeb0d1719bc040fb94181a423576e72e3c77f46f239f58ebb057d82b7f47c		 pdf-javascript-stream PDF /JS object 4251 at offset 0x13FA2F 1084 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
javascript_obj4252_014.js
c87793efb51a86431807c013e7db8ea67f97d546c7f80f355668643b08074eaf		 pdf-javascript-stream PDF /JS object 4252 at offset 0x13FBCA 2522 bytes
javascript_obj4253_015.js
3a18dd66d7a5449716187ced4a18ced17ba2de3d6d8f022c024a49edc0e712a5		 pdf-javascript-stream PDF /JS object 4253 at offset 0x13FEC5 18331 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
javascript_obj4254_016.js
cd372b39cdf7c8bf79c89276b44bbaef21d5b6b59f1033d9407379c94a70070a		 pdf-javascript-stream PDF /JS object 4254 at offset 0x140F64 4340 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj4255_017.js
262748f83cefbd161a9d985500d72fc106ad083ca8d0917125d14c24181dfe21		 pdf-javascript-stream PDF /JS object 4255 at offset 0x14155D 2807 bytes
javascript_obj4256_018.js
4f8801502c18931f9821a18d317e128d47dec0cf2f05f3a175a6cd94d5f59bd4		 pdf-javascript-stream PDF /JS object 4256 at offset 0x141961 257 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj4257_019.js
80a733fcb00d6f349d3425acf5ff1a30eec7d9885e84907d971ffa16b2e8a892		 pdf-javascript-stream PDF /JS object 4257 at offset 0x141A47 5626 bytes
stream_002_off00001cc4.js
78e60372cbb6c0e38e8ab38775ebd4fb9bdc1b2d4879d7a475fce60f106d6aee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CC4 28585 bytes
stream_007_off0000725f.js
24ac9ef63561e6128e64158a9fb80af0a08deb7dc76b668011588016b9059903		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x725F 26943 bytes
stream_009_off0000a29a.js
70cbc4a980bf38e1ab54e5c0b640da9cb44aa9cbe81d7dd2adcbea0575399bf9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA29A 53656 bytes
stream_029_off00016769.bin
d78505f79b66cf670e1b1e479c9ab1461df02813eadc179308b065bebed5eb23		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16769 572562 bytes
stream_051_off0002e6ec.js
e1ab5b2f15a53a780b0778558ec88f0a4f19a6f0d6575124afca4677ce4c425e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E6EC 4515 bytes
objstm_3078_00.bin
2515b3ed3f7cb93165ee693dc75458c40f12f008ef1a08a1a4c571567710a3ce		 pdf-objstm-decoded PDF /ObjStm 3078 0 obj (inflated) 40958 bytes
objstm_3081_00.bin
013a9bfa01d8d309818e502589cfceb5d9294d85acc37a7344c83410c2abac32		 pdf-objstm-decoded PDF /ObjStm 3081 0 obj (inflated) 43896 bytes
icc_00_off00010575.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x10575 3144 bytes
font_00_cff_off0007fe30.bin
7608af6408a9b68417a0d55f409219dc1fbcae2e29e4d613f58dcf35972699ec		 pdf-font-stream PDF embedded font (cff) at offset 0x7FE30 1430 bytes
font_01_cff_off000805c6.bin
6c45a4fbe92d6975094cfb93b1d4e863b358f3d8c040f115a409b77ffb784f31		 pdf-font-stream PDF embedded font (cff) at offset 0x805C6 5912 bytes
font_02_cff_off00081c3d.bin
9edb0ddf94784d79650c0df1ecee59ce6a323164a66ff8d0c430d8769b09f0ab		 pdf-font-stream PDF embedded font (cff) at offset 0x81C3D 11942 bytes
font_03_cff_off000841e8.bin
7d0c6dfd3305a49041e6c5f84d77e672350f27066d46b2fcf6653636d4136b4b		 pdf-font-stream PDF embedded font (cff) at offset 0x841E8 7809 bytes
font_04_cff_off00085e62.bin
31ae146a52ef11c2377efd1e3fcca65e723e1d33d3c215687c12ff20f5555019		 pdf-font-stream PDF embedded font (cff) at offset 0x85E62 9073 bytes
font_05_cff_off00087a4e.bin
e496717d43f507bf0a77438f65a7114fd6b3b97b81affaa3d0476ab9c8efa620		 pdf-font-stream PDF embedded font (cff) at offset 0x87A4E 1088 bytes
font_06_cff_off00087fa1.bin
f90168c0dbe373e15fcdb94d88a339d038143061a89b299bb076d283c0e7e822		 pdf-font-stream PDF embedded font (cff) at offset 0x87FA1 3782 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.