Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba9ab41442d061eb…

MALICIOUS

PDF

244.1 KB Created: 2011-04-25 22:48:14 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: 05048a6799be8ea6da0e2f65c37807ec SHA-1: 6cf614dbea69f4d1721796c57d2de77a5ddd17ba SHA-256: ba9ab41442d061eb787066fb77b0f1613657a3a73f2c50aaab06dfd1532213a8
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF exhibits multiple high-severity heuristic firings, including embedded files, JavaScript, and RichMedia (Flash), strongly indicating malicious intent. The ML classifier also flagged it with high confidence. The presence of embedded objects and JavaScript suggests the file is designed to execute code or exploit vulnerabilities upon opening. While specific URLs were extracted, they were all confirmed as benign, and no document body text or scripts were available for further analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 7

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2bbe69c5e9b01e09ead01d39980623115955d79663f86ee38c3e26d62468aede		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x380F 163 bytes
embedded_file_obj0002.bin
2db2fcfa6c7f0b58af35cd0b7a546eab3e22594fa9e6a322d8448248c1371742		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x38FF 1683 bytes
embedded_file_obj0003.bin
6824595d40fe37ff3a17665623abb424df29f2bf3924106e83b1192a2fc6fa0d		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x3C21 784 bytes
embedded_file_obj0004.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3E15 150 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x3EE6 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x4260 200 bytes
embedded_file_obj0007.bin
41b90835819d2fc9adfbed1f624b97daf557be436627d29ad24fdfcbedc74198		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x4353 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x452B 56 bytes
stream_002_off000003d6.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D6 1363 bytes
stream_003_off000005b3.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B3 902 bytes
objstm_0041_00.bin
cc0d110077f81314ac59a491675430d25faa86bdc2526ed35971cf361ac83464		 pdf-objstm-decoded PDF /ObjStm 41 0 obj (inflated) 1575 bytes
font_00_sfnt_off0000def8.bin
72b4d8c4214c3851229e61383064ede298ce2a08e3be33ce5d86a049810bec59		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEF8 293692 bytes
font_01_sfnt_off0001ef3f.bin
34cab9d06cf7e8ba37dfee8446613b092c42ef5bae4f7d1414e94b99e179d12c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EF3F 37456 bytes
polyglot_child_pdf_off0000c71d.pdf
76a65f2eda682f43fbfa9537602e0f3029aae7eb8fccdc24f3931e9be8afb6fa		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC71D 198940 bytes
polyglot_child_pdf_off0003b84c.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3B84C 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.