Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd50ea778f315b2e…

MALICIOUS

PDF

262.7 KB Created: 2009-11-05 14:36:46 +01:00
MD5: 7ca2a6f894fb3a52b26550643b300847 SHA-1: 71ac739463f3ec61e321bd0d3cc82ada71646e80 SHA-256: bd50ea778f315b2eef55d4670fb9524397a1e998ef517d7e171c9384da86468d
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and exhibits characteristics associated with the CVE-2010-0188 exploit, which targets CCITTFaxDecode functionality. The presence of XFA forms further suggests a complex attack vector. The embedded JavaScript is likely responsible for executing the malicious payload, potentially leading to further compromise. The document body is heavily obfuscated, preventing a clear understanding of its lure, but the technical indicators point to a vulnerability exploitation.

Heuristics 7

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0010.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x1EAEB 86 bytes
embedded_file_obj0011.bin
c98b3015348b9ff35d18f73ffbda6654ccb4c35e722e6595d951958f6b888272		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x1EB9F 1510 bytes
embedded_file_obj0012.bin
8cc5aa7bb76eb927b205bcade32778f91d0b4f1be9c1198b979cdc0374097879		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x1EE79 3822 bytes
embedded_file_obj0013.bin
13486a09bfe74a427cc8628e5579414100c67ae8c2cbcb047148d089d9037b9b		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x1F51D 1259 bytes
embedded_file_obj0014.bin
6d5400a362e88c29a09dda53c8df66a527198a5e201ef7a72fce86a9f4aaec22		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x1F91E 2897 bytes
embedded_file_obj0015.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x1FCB0 200 bytes
embedded_file_obj0016.bin
799ba3cf0c867107a529ad7c060f4677535ee51910554b8ecddd853f65c2f114		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x1FDA4 1851 bytes
embedded_file_obj0017.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x20074 80 bytes
embedded_file_obj0018.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x2011E 56 bytes
embedded_file_obj0157.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 157 at offset 0x3B040 85 bytes
embedded_file_obj0158.bin
682bb275ed0bb2b28ddde93dd56fb1e07e23e474493d975c19c8c01ab2d52668		 pdf-embedded-file PDF EmbeddedFile object 158 at offset 0x3B0F4 320 bytes
embedded_file_obj0165.bin
e178683c1afd35c8fe5521d7390238369da6484319870008dff9d1c5551fde48		 pdf-embedded-file PDF EmbeddedFile object 165 at offset 0x3C931 444 bytes
stream_002_off000004b5.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B5 1532 bytes
stream_003_off000006a0.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6A0 870 bytes
objstm_0051_00.bin
22e757a21d9f95c3f449eb4eef4e148a9bfe7ebda0b3e89814992715e652fa5c		 pdf-objstm-decoded PDF /ObjStm 51 0 obj (inflated) 4574 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_cff_off00010cdc.bin
6b99a3e1c1d5385a3d0fd7dc6cac893f8d0b91dbdb20fbd917c95e8396305c79		 pdf-font-stream PDF embedded font (cff) at offset 0x10CDC 1979 bytes
font_01_cff_off0001144c.bin
1fd60e638729a7cc84682a42c0930762600525a1eaedf05680745d63baf14a6d		 pdf-font-stream PDF embedded font (cff) at offset 0x1144C 5481 bytes
font_02_cff_off00012da0.bin
0c786fdf21f4085c2147ad417e129cebfc1defceb419e1ebf70082e92c3e6c30		 pdf-font-stream PDF embedded font (cff) at offset 0x12DA0 5802 bytes
font_03_sfnt_off0003a328.bin
1e89ef5e3b947bcb76caffd937d9a14dac7c022047a96cd1912c0c1f6a63253a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A328 8127 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.