Malicious PDF — malware analysis report

Static analysis result for SHA-256 c727d20730a1be7a…

MALICIOUS

PDF

476.1 KB Created: 2010-07-02 08:58:56 -07:00 Authoring application: Acrobat Editor 9.0 (via Adobe Acrobat 9.0.0)
MD5: 005ed50b58586f25dd5c263e4ca7b20d SHA-1: b8eb6f3e4b4d886b9ed0e9f03e50ab8b3fea8c28 SHA-256: c727d20730a1be7a295d8b5831e4eb976a82417869d713420555c4ebba751c00
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file exhibits multiple high-severity findings, including embedded JavaScript, Flash content, and a secondary embedded PDF. The presence of unescape() calls and ML classification strongly suggest malicious intent. The embedded JavaScript and Flash are likely used to execute arbitrary code or exploit vulnerabilities, potentially leading to the download of further malicious payloads. The external URIs point to Japanese government websites, which may be used as a lure or for domain spoofing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 9

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mofa.go.jp/mofaj/area/taisen/qa/01.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/02.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/03.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/04.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/05.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/08.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/09.html
    • http://www.mofa.go.jp/mofaj/area/taisen/qa/10.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooo17035.swf
26fbdef78fa3dd0f74a41854651539a2b1bcefedcac6eef12f888e09805731ac		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1833 20428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
noharm10608.swf
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x74C7A 3144 bytes
javascript_obj0073_000.js
eba4250d6c27a75cec4ef59707209931ebeb38f69995942f5729c4f11c4cb72a		 pdf-javascript-stream PDF /JS object 73 at offset 0x3B5F8 14018 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off00074c08.pdf
5d7287e61fa32214558e0964d3e3e0ee86fc12f380facb8afe13dadbc407c451		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x74C08 9328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.