Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2aea06953e2d0f0…

MALICIOUS

PDF

34.5 KB Created: 2010-06-11 23:23:27 +08:00
MD5: 1416ff6c9486ae4849d696698ae63d08 SHA-1: ab586c575420d7df393ee3722f19e7206dab46ec SHA-256: c2aea06953e2d0f0f96a73042214e6597ed5d16fd8899d63de3851b1e73e95cd
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file exhibits characteristics of a phishing lure, including a small file size, image-heavy content, and an embedded action trigger. The presence of PDF_IMAGE_LURE and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics strongly suggests that the document is designed to deceive the user into interacting with malicious content. The embedded file 'embedded_file_obj0003.bin' is likely part of the malicious payload delivery mechanism.

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 34 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
84270147774bafb693cefa5666d1072d25266372a748def076468f6f646a453f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x128F 163 bytes
embedded_file_obj0002.bin
a8b1b6c4a7495d6353e06643ee59323911843844524450bf1068d247661813e3		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1380 1590 bytes
embedded_file_obj0003.bin
bce51576f361c2a5cb1b5786fb6626eb34a5bbe13e3cf964f10d091b40da35a9		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x167B 4747 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0004.bin
e893fc6010e845f2d992671bea3fe5dbb18bd6d442b5e3f98d9a1f1599fafd25		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1EBF 199 bytes
embedded_file_obj0005.bin
c8a82f67dfd8d68c2f8fe494ca2deee4604701c8f02863bf87d222b992e45de9		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1FAD 2955 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2327 200 bytes
embedded_file_obj0007.bin
733f6d5b45b2367069129a768a516fb18c67d8eea786404ef5632cf493f4226c		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x241A 835 bytes
embedded_file_obj0008.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x25F2 56 bytes
stream_002_off000003d8.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D8 1363 bytes
stream_003_off000005b5.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B5 902 bytes
objstm_0046_00.bin
76654a8c7f3db10d22b5fa1d52fd1e1da1b4bd281c96ca56b72ac17ad2ca1c62		 pdf-objstm-decoded PDF /ObjStm 46 0 obj (inflated) 1805 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.