Malicious PDF — malware analysis report

Static analysis result for SHA-256 caa7b052bdffa5cb…

MALICIOUS

PDF

57.4 KB Created: 2017-04-18 11:49:08 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: d7933df0556dc163acd4d50ce01422b0 SHA-1: 4fd930dd25f7834c992513d7840bff62b40dfffb SHA-256: caa7b052bdffa5cb75d0b29dc7c4c1d2989f08b8fa170e0288bc7851f3d12308
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a downloader. Embedded JavaScript was extracted, which is a common technique for initiating malicious actions. The ClamAV detection name 'Doc.Downloader.Donoff-10030369-0' strongly suggests the file's purpose is to download additional malware. The embedded JavaScript stream is likely responsible for this download functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
455064.docm
b6fd3a245ab4b7e0556dc3b9d6147a491d87b444cf4d4b564b249d297802ad72		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x61 65229 bytes
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: unlikely
javascript_obj0005_000.js
13c470ea784cc1fd8dca133e43ff6ef38404fd6b7c625b1e531cae17c56ab121		 pdf-javascript-stream PDF /JS object 5 at offset 0xDFF4 243 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.