Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb4b63d0006d9d58…

MALICIOUS

PDF

636.3 KB Created: 2010-12-26 21:13:41 +08:00
MD5: 297b4c77266cd9c71c0166c1d7dacc5a SHA-1: 23f5c8b2c30116efaa354364024a2b8886fe0414 SHA-256: bb4b63d0006d9d58084edc9bbc3d3dc6ef3f5b2c12442671f9517b0f6d116764
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier. It contains embedded JavaScript and an embedded file, which are common techniques for delivering second-stage payloads. The presence of these elements, along with the 'ML_NYX_PDF_MALICIOUS' heuristic, indicates a high likelihood of malicious intent, likely to download and execute further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9435

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x4497 86 bytes
embedded_file_obj0002.bin
5a55e676fbfa6c4799ed03376591e1b59740f36a9b7c1d6b186de88c8a293a94		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x454A 1460 bytes
embedded_file_obj0003.bin
9c15ce56b0ff0b108ea249f3153aa42d309fb157afa20d1dae4bbb79320142c6		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x4807 7392 bytes
embedded_file_obj0004.bin
da19a956510de42d8522c11b25445b3efa52056541ed94d34b6ccf27c6a9ff47		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x536A 159 bytes
embedded_file_obj0005.bin
7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x543D 3023 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x57CE 200 bytes
embedded_file_obj0007.bin
e9d42684895eb3d2f59193e993cdf76a57032a413f7d1d253d7c1c6cab4c0e20		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x58C1 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5A99 56 bytes
stream_002_off00000352.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x352 1532 bytes
stream_003_off0000053d.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x53D 870 bytes
stream_021_off00006124.bin
1bff43e0d231e3e26ca1d9fb684837e370e07dca34e3d8d00878342f76266b59		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6124 591087 bytes
stream_023_off00096c2d.bin
0601c4b533d97a420b6c976136126d6e4d79c0f357e07bcf80adaf2c57144440		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x96C2D 32400 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.
objstm_0040_00.bin
402a910cdaf19a5d43a30d58c91c0cdfd24fbd39392423afe425e3cf62f7712f		 pdf-objstm-decoded PDF /ObjStm 40 0 obj (inflated) 1928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.