Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5bd42518e53613c…

MALICIOUS

PDF

6.55 MB Created: 2014-02-26 08:18:54 +01:00 Authoring application: Adobe InDesign CC (Windows) (via Adobe PDF Library 11.0)
MD5: 9626f863ce2223df9116e636aeaf9243 SHA-1: 7d581acf8e048944f73c24cfa18de8652b0435fa SHA-256: b5bd42518e53613c074dcc42f76f3ad51ec3c0c7e07b292c0b89036472ad84e6
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript and PRC/3D content, which are often used to exploit vulnerabilities. The high number of streams suggests obfuscation or a heap spray technique. While no specific URLs or scripts were directly extracted and analyzed for malicious intent, the presence of these elements strongly indicates an attempt to execute malicious code upon opening the document, likely leading to a second-stage payload download or exploit.

Heuristics 5

  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://ns.adobe.com/exif/1.0/aux/
    • http://ns.adobe.com/camera-raw-settings/1.0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0059fac1.icc
ec41aacd3d0a95e911097443c929848524c8fef645a0f6a18c26dc507576f265		 pdf-icc-profile PDF ICC profile at offset 0x59FAC1 557188 bytes
font_00_cff_off0060325f.bin
862773011c45110dbbb3bec2c9a9531d9dec5371b1251e3cedc647d24201d7f3		 pdf-font-stream PDF embedded font (cff) at offset 0x60325F 7158 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.