Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd2efac0af4d305d…

MALICIOUS

PDF

1.72 MB Created: 2008-11-24 16:22:30 UTC Authoring application: Adobe LiveCycle Designer ES 8.2 First seen: 2015-09-24
MD5: 7cc9eade2ee2b8d20d887a0904cf4482 SHA-1: 980747701a6f7d24f57a6ec4d15d079e07965f43 SHA-256: cd2efac0af4d305de7e9fb52d3b4300cd794a36718da64646477e92a21638a84
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file exhibits multiple indicators of malicious intent, including embedded JavaScript streams and embedded files. The presence of 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics strongly suggests that the document is designed to execute code. Specifically, the 'stream_002_off000009df.js' artifact is flagged as a suspicious extracted artifact, indicating it likely contains malicious scripting. The overall structure points towards a delivery mechanism for a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8748

Heuristics 7

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://ocsp.verisign.com0Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
    • http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
    • http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa01Referenced by PDF JavaScript
    • http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OReferenced by PDF JavaScript
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0Referenced by PDF JavaScript
    • https://www.verisign.com/repository/RPA0Referenced by PDF JavaScript
    • https://www.verisign.com/repository/CPSReferenced by PDF JavaScript
    • https://www.verisign.comReferenced by PDF JavaScript
    • https://www.verisign.com/repository/verisignlogo.gif0Referenced by PDF JavaScript
    • https://www.verisign.com/CPSReferenced by PDF JavaScript
    • http://www.microsoft.com/truetype/0Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-form/2.6/Referenced by PDF JavaScript
    • https://www.verisign.com/repository/CPS��In PDF document text
    • https://www.verisign.com/repository/verisignlogo.gif0�In PDF document text

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0078.bin pdf-embedded-file PDF EmbeddedFile object 78 at offset 0x1B6AC1 554 bytes
SHA-256: 86cf896de96c2ad494c84062b5e83d122f007e4ae1c3fdda0e92b034d85df45c
embedded_file_obj0079.bin pdf-embedded-file PDF EmbeddedFile object 79 at offset 0x1B6C47 162 bytes
SHA-256: 33fcb034ad0d88c077e37a5a8a701696b819dbf6d1df1998c45825aecac3d0c4
embedded_file_obj0080.bin pdf-embedded-file PDF EmbeddedFile object 80 at offset 0x1B6D37 533 bytes
SHA-256: 9aacb9ff7c0c421887cddd2c40af58e65c2c955067132a1dd56bf120a66a6444
javascript_obj0043_000.js pdf-javascript-stream PDF /JS object 43 at offset 0x170848 1367 bytes
SHA-256: f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531
Preview script
First 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.5)
{
   if (app.viewerType == "Reader")
   {
      if (ADBE.Reader_Value_Asked != true)
      {
         if (app.viewerVersion < 8.0)
         {
            if (app.alert(ADBE.Reader_string_Need_New_Version_Msg, 1, 1) == 1)
               this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
            ADBE.Reader_Value_Asked = true;
         }
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
      }
   }
   else
   {
      if (ADBE.Viewer_Value_Asked != true)
      {
         if (app.viewerVersion < 7.0)
            app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
		   else if (app.viewerVersion < 8.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
               app.launchURL(ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, true);
         }
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
         ADBE.Viewer_Value_Asked = true;
      }
   }
}
javascript_obj0044_001.js pdf-javascript-stream PDF /JS object 44 at offset 0x170A2E 902 bytes
SHA-256: 91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
   ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
   ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 8.0)
{
   ADBE.Reader_Need_Version = 8.0;
   ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Reader_Need_Version;
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 8.0)
{
   ADBE.Viewer_Need_Version = 8.0;
   ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Viewer_Need_Version;
}
javascript_obj0045_002.js pdf-javascript-stream PDF /JS object 45 at offset 0x170B88 2795 bytes
SHA-256: 826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined")
   this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat";
ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update";
ADBE.Viewer_string_Update_Reader_Desc = "Adobe Reader 7.0.5";
ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Reader. Press OK to download the latest version or see your system administrator.";
ADBE.Viewer_Form_string_Reader_601 = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Reader_Older = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK for online download information or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_601 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_60 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. For more information please copy the following URL (CTRL+C on Win, Command-C on Mac) and paste into your browser or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_Older = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin.";
ADBE.Viewer_Form_string_Reader_5x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will open your browser to a web page where you can obtain the latest version.";
ADBE.Viewer_Form_string_Reader_6_7x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
ADBE.Viewer_Form_string_Viewer = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
stream_001_off000006c2.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6C2 1715 bytes
SHA-256: f2b531523b7ccb9a2e5d54150a197e1d6872401b3c1dac18984247bb2e2eb0a2
stream_002_off000009df.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9DF 178193 bytes
SHA-256: b8b44f2f63151d80bc23d3ca30280761fac36b4552213ff72ca96ed94b77219f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
1700 of 2885 identifiers look randomly generated (e.g. 'B000C000F0010001100120013001400150016001'); 19 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 3 long base64-like blob(s).
stream_003_off00012cba.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12CBA 2639 bytes
SHA-256: 082f472e25c07424c90be5766bb994d529097732b7ebe460ac4773444f19f3c2
stream_006_off00013392.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13392 409252 bytes
SHA-256: a0f5b5f69a88877ffaa1733f0e0bbf9b4b3eef82f4ff804c724870cecea228d2
stream_007_off0004e22e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E22E 398350 bytes
SHA-256: 3865d93c0c2166362b36dcedd4241f4d13e97beb2582d99741eb0ef72770f9b8
stream_009_off00097f7e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x97F7E 766631 bytes
SHA-256: c22cf818ffadf4f63440fe3f4960440b661092db17f0c578e807c64aab65d74a
stream_010_off001048fd.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1048FD 744529 bytes
SHA-256: 11ffb563dd3be6aa135558853e19fb92f06d0fa8f207826288196beee78acdfb
stream_014_off00171262.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x171262 248352 bytes
SHA-256: 823578bc844bb7336e674fd02ccb49124f640a4030497e7c39f6e98840440f80
font_00_sfnt_off00087c9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87C9A 95975 bytes
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949
font_02_sfnt_off00197c35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x197C35 207787 bytes
SHA-256: 3d745d2361b687c27c008b1c8f5df7f741d33aff8f3cd54d1b7c500458fc4826

Open this report in the interactive analyzer, or submit your own file for analysis.