Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd2dff17c4a40307…

MALICIOUS

PDF

27.4 KB Created: 2010-02-25 16:19:51 +01:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 9.0.0 (Windows))
MD5: f8944f8d5e7077cf84b264bae8245299 SHA-1: 12eee95baf5afb93f2bb7abad0b811890c001349 SHA-256: cd2dff17c4a40307e511d5c4db28d2b7985b9e5e755c2cfcb92994e5e921b989
174 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file is flagged as malicious by multiple engines, including ClamAV which identifies it as the EICAR test signature. It contains embedded JavaScript and an embedded file, both common techniques for delivering malicious payloads. The embedded JavaScript stream is likely responsible for executing the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
eicar.com
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x5BA2 68 bytes
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
javascript_obj0013_000.js
96e70381bb9d3e5feaf19d1051707cd6fa9ad3a8ba3d5afb7a4544f8d10fc0bb		 pdf-javascript-stream PDF /JS object 13 at offset 0x49E 1438 bytes
icc_00_off00004e93.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4E93 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.