Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba6db011c15d1b11…

MALICIOUS

PDF

849.8 KB Created: 2007-07-09 15:34:25 UTC Authoring application: QuarkXPress(tm) 6.5
MD5: 977ba75f4d8eb07051c3c85bed57e90f SHA-1: dc874a74ec80ed21c3332a851c48c5051fd9a76b SHA-256: ba6db011c15d1b1150856b3416dc89d970a8d31ce826ee0e8cf936a5d97e1117
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The high-severity heuristic SE_PAYMENT_REDIRECT_LURE indicates the document's content is designed to trick the user into changing payment details, a common tactic in business email compromise. The presence of embedded JavaScript, though not directly analyzed for malicious intent in this report, suggests an attempt to automate malicious actions. The benign URLs extracted do not detract from the primary lure identified.

Heuristics 6

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
f2d915978558ce4882b194fe39083429168773514e45c5f15fb6c0d688865cfd		 pdf-javascript-stream PDF /JS object 8 at offset 0x987F 96 bytes
font_00_cff_off0000b08a.bin
be055d935cbdf11301746905e030dbc6545bea6ab1bee2897c48a4c7aa4bd65b		 pdf-font-stream PDF embedded font (cff) at offset 0xB08A 45525 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.53, consistent with packed or encrypted content.
font_01_sfnt_off000284cb.bin
48719460f532ea9e1aad5582c28fd2381222dc4fad375cc59bfeb8fa86abe3b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x284CB 128397 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.