Malicious PDF — malware analysis report

Static analysis result for SHA-256 c323204e171419b1…

MALICIOUS

PDF

84.7 KB
MD5: 423d404ee15154d9981823af24f1b190 SHA-1: bf8d17d316b7b66a078f630bfc3ae23e630b025e SHA-256: c323204e171419b1431382c02acd15d2e27e1f4cac0a5c9353ff0110fb903eb4
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and an embedded script payload, indicating an attempt to exploit vulnerabilities. The presence of the CoolType/SING exploit indicator further supports this. The embedded JavaScript likely downloads and executes a secondary payload, as suggested by the heuristic firings. The benign URLs found do not detract from the malicious nature indicated by the exploit indicators and embedded scripts.

Heuristics 8

  • CoolType/SING font exploit indicator high CVE related PDF_COOLTYPE_SING
    PDF embeds TrueType/OpenType font data with SING/CoolType markers. This is a related indicator for Adobe Reader font-parser exploit families such as CVE-2010-1297, not proof of a specific CVE.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
0f84bde7b19af1b7305bcc6925827cd2a072f22cc8e2f0a4e2ddbadf3b0f0fae		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x58 163 bytes
embedded_file_obj0002.bin
7ddc77ba22dbf3923eefb2c33b5bd8ffe75a1c13500293f589d7f0c51c46ffee		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x14A 2051 bytes
embedded_file_obj0003.bin
6a1f681c2d940811512d94d373e7f23f56970134617a857a4f0a1cf20ba0c778		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x4EE 92314 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0004.bin
9d2011869de08f8301414fa872196926dcf9a8d36d02bebbd485d575a27aaf02		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x3411 2491 bytes
embedded_file_obj0005.bin
da807ee1e361cc380f1dd0f12922b1c22d30b08fd83ee72d7b74ef4dffedb846		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x370A 442 bytes
embedded_file_obj0006.bin
96628b944e71910284481d3752a3dee7c27f618ee8b2caeb6aea4821dde94c35		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x385D 1223 bytes
embedded_file_obj0007.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x3AB2 80 bytes
embedded_file_obj0008.bin
ec1d6455421ef6e45d56802e07a42144ea807a672a18557ccd374fb06f1959c5		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3B5D 398 bytes
stream_010_off00006159.js
f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6159 1313 bytes
stream_011_off00006338.js
1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6338 902 bytes
objstm_0010_00.bin
c2637b0e69bc447e901c75775791f318f188ec762086d99df9b42d319c6fe42b		 pdf-objstm-decoded PDF /ObjStm 10 0 obj (inflated) 30515 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.