Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2d800d35ad746f6…

MALICIOUS

PDF

591.0 KB Created: 2010-03-31 12:55:11 -04:00 Authoring application: Adobe InDesign CS4 (6.0.4) (via Adobe PDF Library 9.0)
MD5: b95ffeba445f4a358d36d25e0f8a1af0 SHA-1: 6d854763ea7f850fda835a1339801a268b91d990 SHA-256: b2d800d35ad746f661e02eb2cc95950fbbd6f63a5eaa2f7d281cb01a01e8befe
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The file is identified as malicious by multiple heuristics, including ML classification and ClamAV detection, with specific signatures pointing to it being a PDF dropper. The presence of embedded files and remote GoTo actions suggests an attempt to load or redirect to malicious content. The ClamAV detections 'Pdf.Dropper.Agent-7294513-0' and 'Pdf.Dropper.Agent-7384761-0' are the highest priority IOCs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8662

Heuristics 6

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • ClamAV: Pdf.Dropper.Agent-7294513-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7294513-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xmp/InDesign/private
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
tadpole_uranus_907.pdf
67285ae3579ed404c907d8437f9d1321ac532af8c416528b7f234860c687e043		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1A9F1 262794 bytes
tadpole_uranus_907_1.pdf
fca40e141baad3b4abda2b3ddd27b064c73fb2806f283d0c60c434b24294a40f		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1A9F1 349267 bytes
tadpole_uranus_907_2.pdf
0f4a666ce2b6f677cff025a098f64d567a3c6564859e573104bbf85a8cf6a84b		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1A9F1 435784 bytes
Detection
ClamAV: Pdf.Dropper.Agent-7384761-0
Obfuscation or payload: unlikely
stream_019_off0001a020.bin
3adb59921cb7d83bb3669a5a2de9da1b29f68091af02cc6d4da5b6aed2cdda26		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A020 522354 bytes
Detection
ClamAV: Pdf.Dropper.Agent-7384761-0
Obfuscation or payload: unlikely
objstm_0121_00.bin
0c6e1d1e0b5a8545f6770bb4efc0d46ab6c1b1ed6d6345134d75f665b66e36aa		 pdf-objstm-decoded PDF /ObjStm 121 0 obj (inflated) 1120 bytes
font_00_cff_off0000b46d.bin
38d7d0627d6ef08fdb595be75f8f12752f3381fa7a1441ca8f76a5e76dc6e7b9		 pdf-font-stream PDF embedded font (cff) at offset 0xB46D 609 bytes
font_01_cff_off0000ba3f.bin
5f3f348279f5218a0f3607c4a8e7c1b2190742072e04b58112191aa6b4235f52		 pdf-font-stream PDF embedded font (cff) at offset 0xBA3F 886 bytes
font_02_cff_off0000c1e7.bin
7e5cb310f6cb7822b8a316192e8347738bb3f1d76fe954bdbf17623d2e87f2fb		 pdf-font-stream PDF embedded font (cff) at offset 0xC1E7 3808 bytes
font_03_cff_off0000d457.bin
99bc093cddfa13f76f619bedeaf723ce24882a341f9686e35da3cad8dbab0a72		 pdf-font-stream PDF embedded font (cff) at offset 0xD457 3669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.