Malicious PDF — malware analysis report

Static analysis result for SHA-256 b77dec096238ac2b…

MALICIOUS

PDF

1.79 MB Created: 2014-05-05 15:14:44 -05:00 Authoring application: Adobe LiveCycle Forms 8.2
MD5: 075266eaebf4b70961f117b609967404 SHA-1: 4ac9d347fd021dd9b1bee8ffa4687348d02f7229 SHA-256: b77dec096238ac2bca683e0aba3da2002bee727f126c0f029de1ecfe42e6d14a
184 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059.001 Scripting: PowerShell T1059.007 Scripting: JavaScript

The PDF contains critical XFA heap spray exploit code and risky executable scripts, indicating an attempt to leverage a known vulnerability. The embedded JavaScript streams and XFA actions are designed to trigger this exploit. The presence of multiple unknown URLs suggests a potential command and control or payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9803

Heuristics 8

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://localhost:8080/FormsWSQS/HandleData
    • http://67.192.221.68/rh/part2Pdf.aspx?SaveOnly=true
    • http://localhost:1787/intoCareers/images/formlogoes/cis.gif
    • https://www.iiresearch.net/rh/part2Pdf.aspx
    • http://localhost:8080/FormsWSQS
    • http://localhost:8080/FormServer
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.8/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://www.adobe.com/go/reader_download
    • http://www.adobe.com/go/acr\

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0055.bin
82d700fa7402fd5bb12c64a441d17a7a45a3a9db8a99b42c21061a2ca6d2a0e9		 pdf-embedded-file PDF EmbeddedFile object 55 at offset 0x1A0FF3 162 bytes
embedded_file_obj0056.bin
e97a1c12feed9baaeadf819aa2b73832a91fcf30910d6af6ee10c541f0c6261a		 pdf-embedded-file PDF EmbeddedFile object 56 at offset 0x1A10E6 643859 bytes
embedded_file_obj0057.bin
6b4b62781e5de0997aebdd980ddcb374c08b70f670671d30382324f348424f16		 pdf-embedded-file PDF EmbeddedFile object 57 at offset 0x1B7565 162566 bytes
javascript_obj0027_000.js
0ab3d232b2f2272b7039ee3e45d0be78ade06bb45327a799559ad4a592ef5a3d		 pdf-javascript-stream PDF /JS object 27 at offset 0x18A0 1169 bytes
javascript_obj0028_001.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 pdf-javascript-stream PDF /JS object 28 at offset 0x1746 902 bytes
javascript_obj0029_002.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 pdf-javascript-stream PDF /JS object 29 at offset 0x1569 1363 bytes
stream_006_off000af611.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAF611 367087 bytes
stream_007_off000e1f18.bin
1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE1F18 352198 bytes
embedded_pdf_script_00003f65.bin
fa02a0d4947b5f2c6c9b6fe9648af45d8bfd132393d481694df3a8362e7db897		 pdf-embedded-script PDF raw stream script payload at offset 0x3F65 10491 bytes
font_00_sfnt_off000779ee.bin
c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x779EE 95975 bytes
font_01_sfnt_off000883fa.bin
926d8eb5abd4c74e46a419aaf25a490564d389c7a250d2392b198a342df65b8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x883FA 97320 bytes
font_02_sfnt_off00098c10.bin
b00e7021057467332c8f8af567cecc8f5b0cd81afb6370e3470acaf1454e14f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98C10 173912 bytes
font_05_sfnt_off001b95d4.bin
c2866f0a01f1ce525d7f9cf64dedca6f78fb819607944a1bad77ae8d36a08de5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B95D4 100386 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.