Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7f05233be46d189…

MALICIOUS

PDF

269.1 KB Created: 2010-02-25 09:23:00 -08:00
MD5: b27fcbc48e6dfebf81fce085e00d876b SHA-1: cc1c8472aa50066bb78fcb0a946995f94e5e8c0b SHA-256: c7f05233be46d189fcc0bfa32b1048c47be42587e06d125e641d16b09be346ec
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript and an embedded script payload, indicating malicious intent. The 'PDF_IMAGE_LURE' heuristic suggests the document is designed as a phishing lure, presenting an image to trick the user into clicking an embedded action. No document body text was available for analysis, but the presence of embedded scripts and the lure technique strongly suggest the document is intended to redirect the user to a malicious site or download further malware.

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 269 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x1BD7 85 bytes
embedded_file_obj0002.bin
52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1C89 1465 bytes
embedded_file_obj0003.bin
af16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1F44 973 bytes
embedded_file_obj0004.bin
4c87fff0298e6b6310f08213f7b3439fedd074a4e2fcb086e9c9fdaaf19170a1		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x2193 11882 bytes
embedded_file_obj0005.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x2640 2928 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x29AD 200 bytes
embedded_file_obj0007.bin
1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2AA0 835 bytes
embedded_file_obj0008.bin
8f96f8652bbe352f96051db71b660e225a5fc0ae5963e496720bd7a5634fd5d2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x2C79 291 bytes
stream_002_off000003ac.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AC 1532 bytes
stream_003_off00000597.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x597 870 bytes
stream_007_off00001141.bin
6186bf7481376005e86ab25ed2e152e26cab09bfed803e7a2418bf67cbf529e4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1141 1030 bytes
stream_008_off000013b0.bin
05be3559404a8717e68e6b5884bea90b066cd04a5d42d7ddf2487abda5869e78		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13B0 2983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.