Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf4fd34009305a23…

MALICIOUS

PDF

946.7 KB Created: 2010-06-11 23:23:27 +08:00
MD5: b95cac8598b5f7307d48042e917b0bc1 SHA-1: ee973652067a98e50fd6295ac7bafa95daa7201e SHA-256: bf4fd34009305a23d92a8cfb6588d9f32a43fd677c77c9d352611d2177e7fd12
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript and multiple embedded files, indicating a multi-stage attack. The PDF_JAVASCRIPT and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics suggest that the script is designed to execute a payload. The presence of embedded files, particularly 'embedded_file_obj0003.bin', further supports the delivery of a malicious payload. The exact nature of the payload is not clear from the static analysis, but the overall pattern points to a downloader or dropper.

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
84270147774bafb693cefa5666d1072d25266372a748def076468f6f646a453f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x128F 163 bytes
embedded_file_obj0002.bin
a8b1b6c4a7495d6353e06643ee59323911843844524450bf1068d247661813e3		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1380 1590 bytes
embedded_file_obj0003.bin
bce51576f361c2a5cb1b5786fb6626eb34a5bbe13e3cf964f10d091b40da35a9		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167B 4747 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EBF 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FAD 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2327 200 bytes
embedded_file_obj0007.bin
733f6d5b45b2367069129a768a516fb18c67d8eea786404ef5632cf493f4226c		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x241A 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25F2 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
76654a8c7f3db10d22b5fa1d52fd1e1da1b4bd281c96ca56b72ac17ad2ca1c62		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.