Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2cbcdcfbcde6af8…

MALICIOUS

PDF

65.5 KB Created: 2017-05-11 23:52:42 +03:00 Authoring application: 8163703 (via iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version))
MD5: 5ab4a42260f36cee656343f3f3cccc4a SHA-1: b62d884d4d2112a76814405355fe29e56657f7e2 SHA-256: b2cbcdcfbcde6af813ddfc4fe3d5fa6bf520e8e4e90512f965bf390be0e4181e
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, a common technique for initiating malicious actions. ClamAV detections for 'Pdf.Malware.Agent-6312717-0' and 'Doc.Downloader.Donoff-10030369-0' strongly suggest that the embedded JavaScript is designed to download and execute a secondary payload. The PDF itself appears to be a lure, as indicated by the 'PDF_IMAGE_ONLY_LURE' heuristic, lacking readable text content.

Heuristics 6

  • ClamAV: Pdf.Malware.Agent-6312717-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-6312717-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
MHZRQN.docm
7706e5741f3e6a688008e4c79f1f1ed288c21ed73bfefac159c3b7eaffd28ea7		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x871 74992 bytes
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: unlikely
javascript_obj0006_001.js
76a5e577d56401787f779db428418412039740482e607c38f19add6ce551b652		 pdf-javascript-stream PDF /JS object 6 at offset 0xFB9D 4564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.