Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc3cfee9ceacb811…

MALICIOUS

PDF

398.8 KB Created: 2009-10-08 13:59:47 -05:00 Authoring application: Adobe LiveCycle Designer 8.0
MD5: 8840c1ffc7c40e2c23f22bbb1edd0db3 SHA-1: ea883ebaa63c274ceb70bd0606eadfc189b5ce94 SHA-256: cc3cfee9ceacb81152ca50c06e734368b51127aa15b08f8790950fff17167672
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and an embedded script payload, indicating an attempt to execute malicious code. The presence of XFA forms and JavaScript actions suggests a common delivery mechanism for exploiting PDF vulnerabilities. The embedded file 'embedded_file_obj0009.bin' is likely the secondary payload. No specific family could be identified.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/illustrator/1.0/
    • http://www.iec.ch
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0007.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x5E309 85 bytes
embedded_file_obj0008.bin
ebd19ee31a1f1d52f534ae8b59ae6612d5c4263e3987d20618a9f9517e9ae2ed		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x5E3BC 3359 bytes
embedded_file_obj0009.bin
a6b53f8633ee29b7f9a3eee5861205f06b13e48f05bd54a6b4ae7ec4b925cac0		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x5E8AE 102235 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0010.bin
196ead3e7ba651f4a1783d1958c67cf904627cee976d71531342ddfece0e76dd		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x60353 1979 bytes
embedded_file_obj0011.bin
f885f582096c48270101c764dd3d3f994844f02f6ae90631b5a255c4a9e3731f		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x6047D 4748 bytes
embedded_file_obj0012.bin
7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6079B 214 bytes
embedded_file_obj0013.bin
c94bbe951194333d6c39782ddf73e968a1a1741cd5455bd47dd6b6da85bb6a60		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x60896 799 bytes
embedded_file_obj0014.bin
b1b296d371e691ae903fc90e2f3bd69eeac3730137d7c7f5d9379aed02cb51d6		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x60AA6 110 bytes
javascript_obj0265_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 265 at offset 0xEB2 1535 bytes
javascript_obj0266_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 266 at offset 0x109E 870 bytes
javascript_obj0267_002.js
922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc		 pdf-javascript-stream PDF /JS object 267 at offset 0x11F9 2798 bytes
font_00_sfnt_off00002ff2.bin
058d11642e857508126df5662db2c7af4bdc1892e73eea6fc33f2605a1fc3c20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FF2 94875 bytes
font_01_cff_off0005b76c.bin
a222a5faa686643e85eab1b2c3544319cbd5729a4df934d8ec0e122c87cb5adc		 pdf-font-stream PDF embedded font (cff) at offset 0x5B76C 3846 bytes
font_02_cff_off0005c875.bin
1f382ea8e50c1720a13008069be1be48e9f1a5772b54908093be17bda663aa16		 pdf-font-stream PDF embedded font (cff) at offset 0x5C875 5164 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.