Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcc7d32b617a5804…

MALICIOUS

PDF

330.3 KB Created: 2010-09-20 10:36:57 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: b490c865dc609062454de4b781390e97 SHA-1: 1b1ca850d440f8fea987f7e36c2b2ccdc1e07773 SHA-256: bcc7d32b617a5804c076050e3cf878325be5b1b99a6475f1716d89a78a8c58c9
198 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

This PDF file is identified as malicious due to the critical firing of CVE_2011_2462_RICHMEDIA_U3D, indicating an exploit targeting Adobe Reader's U3D/RichMedia parser. The presence of an embedded file and a secondary embedded PDF further suggests a multi-stage attack. The primary goal appears to be exploiting this vulnerability to gain initial execution, likely for downloading and executing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9223

Heuristics 5

  • Adobe Reader U3D/RichMedia parser exploit critical CVE likely CVE_2011_2462_RICHMEDIA_U3D
    PDF combines U3D stream markers with RichMedia and JavaScript/XFA activation surfaces. This is the U3D RichMedia exploit document shape associated with CVE-2011-2462, even though the U3D marker is not exposed through the canonical /Subtype /U3D dictionary.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_027_off00028d32.bin
f49b375431081a44bc1d701e91e30e2197de199fbf74f2cbfaf44711cb40c406		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28D32 314120 bytes
objstm_0017_00.bin
c515a5551a72a8497045fc7510d95c5a1a4edc56f02c0e8a1e04fb3285830168		 pdf-objstm-decoded PDF /ObjStm 17 0 obj (inflated) 1038 bytes
font_00_sfnt_off000247fc.bin
ab5d8bb944cc023dd66cff764dc3c5b6815f2f5f9c97c248b36b0231b9dc0f09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x247FC 20672 bytes
font_02_sfnt_off00045607.bin
c6c8c11ae7e2c321d98561856fbbaae75178538b5900078e54acf10e32245a20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45607 203416 bytes
polyglot_child_pdf_off00017302.pdf
e6e40442bfa42379712c97576681d134019d2345a8d8ad1375c57aa5dc8f5410		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x17302 243268 bytes
polyglot_child_pdf_off00051159.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x51159 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.