Malicious PDF — malware analysis report

Static analysis result for SHA-256 caeb622b709cda6e…

MALICIOUS

PDF

36.9 KB Created: 2017-01-28 10:46:17 +00:00 Authoring application: James Hornstein (via William Zodrow) First seen: 2021-08-25
MD5: cbadeca149d240a62c158244a4cddd19 SHA-1: cc54e86fbcb1a4a7f71248040dace640ca44ea31 SHA-256: caeb622b709cda6e4041cddcf10586e4293646e22df616e2b79ed73cd53c6978
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file exhibits evasion techniques, specifically combining an external action with a malformed XREF table. It also contains a URL shortener that redirects to a secondary URL, likely to obscure the final malicious destination. No scripts were extracted, but the combination of evasion and URL redirection suggests an attempt to lure the user to a malicious site, consistent with phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0012

Heuristics 3

  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.ly/2T2L8W9?url=http://8bbit.com/ec7RH0y9TF6w0lwA.html In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000a39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA39 24088 bytes
SHA-256: 8990d3b953e8c45958c6f2b246ebf65ad773df3117f0302243aec24c2901b734
font_01_sfnt_off000041fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x41FA 4712 bytes
SHA-256: b5b1b5c432d692641e8a41abb6134ba9e3e747bfc50c04ea49b89ae0b98d6fb5
font_02_sfnt_off00005076.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5076 5352 bytes
SHA-256: 334399d3a134c9457124b737cfe70407be400cbdcfc09dd65eac938dc13c965e
font_03_sfnt_off00006251.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6251 15608 bytes
SHA-256: 525552abfbd797ce622f7249ceb09f99c342544ef78cbe2d8ce5b05cadbf1d0e