Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf243b90218751d3…

MALICIOUS

PDF

218.7 KB Created: 2001-10-15 12:49:02 UTC Authoring application: PageMaker 6.5 (via Acrobat Distiller 5.0 (Windows)) First seen: 2012-10-03
MD5: 6a7b684a2063d51a36d6c536c9fd31a7 SHA-1: c1d2512c23a3d21d866ed94811bfcb9abd0a5df7 SHA-256: cf243b90218751d34efc993e7d054b4432c0268fe251d21dd9fe2767e53a6833
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file exhibits multiple suspicious characteristics, including embedded JavaScript streams and embedded files. The presence of these elements strongly indicates an attempt to deliver a malicious payload to the user. While the specific family is not identifiable, the techniques used point towards a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5390

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON
    Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
    Matched line in script
        if (ans == 1)
        this.getURL("http://www.adobe.com/products/acrobat/readstep.html", false);
}
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comhttp://www.monotype.com/html/type/license.html Referenced by PDF JavaScript
    • http://www.adobe.com/products/acrobat/readstep.htmlReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/iX/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/t/pg/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONReferenced by PDF JavaScript
    • http://www.elster.de/2002/XMLSchemaReferenced by PDF JavaScript

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
verus pdf-embedded-file PDF EmbeddedFile object 570 at offset 0x322F7 3481 bytes
SHA-256: fd640d8f26e151c509e48640321959c25c629d492a5e1b430bb65afb8319b681
verus_xml pdf-embedded-file PDF EmbeddedFile object 571 at offset 0x326BF 3054 bytes
SHA-256: 4481ab0551e16e8893c8d7701844ce2226d74224c32de4401132519ac0a0a2e2
xml-export pdf-embedded-file PDF EmbeddedFile object 572 at offset 0x32B76 95 bytes
SHA-256: 0f1227711e937413b21ebaef152709a755cadaed0f6eb5a5c8ad7eee86db5c42
javascript_obj0598_000.js pdf-javascript-stream PDF /JS object 598 at offset 0x1778 190 bytes
SHA-256: 1d8ddb768f6f3b16adc5038c2daa06fd378d538abe258633c5dcb323364f2fad
Preview script
First 1,000 lines of the extracted script
function finalize()
{
	for(var a=2; a<this.numPages; a++)
	{		
			
			//this.getField("P"+(a)+".APX.export").hidden=true;
			//this.getField("P"+(a)+".APX.new").hidden=true;		
	}
}
javascript_obj0599_001.js pdf-javascript-stream PDF /JS object 599 at offset 0x187B 238 bytes
SHA-256: f9001e928add60563cd99db41b93208798dbf94c084774571485d1665df0710a
Preview script
First 1,000 lines of the extracted script
function lfd_calc()
{
	var x=this.getField("P"+(this.numPages-2)+".APX.row9.aa_lfdnr").value;
	console.println(x);
	for (a=0; a<10;a++)
	{
		x=x+1;
		this.getField("P"+(this.numPages-1)+".APX.row"+a+".aa_lfdnr").value=x;
	}
}
javascript_obj0600_002.js pdf-javascript-stream PDF /JS object 600 at offset 0x19B6 153 bytes
SHA-256: a851723bb1c0c58f5cfbdda619b33f07ac02a30af40acd5e9ac4c9f57577100e
Preview script
First 1,000 lines of the extracted script
function lock()
{
	//for (a=0; a<this.numFields; a++){this.getField(getNthFieldName(a)).readonly=true;}
	//this.exportAsXFDF ({bAllFields:true});
}
javascript_obj0602_003.js pdf-javascript-stream PDF /JS object 602 at offset 0x1AB7 155 bytes
SHA-256: 3e02b309c53ab2b07380d69645a7ac2f5be9958ffd7fe3d1150e9e81b8d24e06
Preview script
First 1,000 lines of the extracted script
function serial()
{

		this.getField("ant.a.head.f_ser_nr").value=util.printd("yyyymmdd", new Date()) +"-"+ new Date().valueOf();
		//lock();
	
}
javascript_obj0685_004.js pdf-javascript-stream PDF /JS object 685 at offset 0x8335 162 bytes
SHA-256: fb2c48a96d54e9ce706400bb22c458fe694aa9a294ced64f82dab6c47edbed27
Preview script
First 1,000 lines of the extracted script
if (allowed.indexOf(event.value.substr(0,1))==-1)
{
	app.alert("The input has to start with a letter or a number",1,0,"VAT Application");
	event.rc=false;
}
javascript_obj0686_005.js pdf-javascript-stream PDF /JS object 686 at offset 0x8410 190 bytes
SHA-256: 49b5cb770d5cc6ffd31c102200060b725171352f64ac59743b571f6b31c1719a
Preview script
First 1,000 lines of the extracted script
if (event.value!="")
{
	if (allowed_char.indexOf(event.value.substr(0,1))==-1)
	{
		app.alert("The input has to start with a letter",1,0,"VAT Application");
		event.rc=false;
	}
}
javascript_obj0687_006.js pdf-javascript-stream PDF /JS object 687 at offset 0x8511 112 bytes
SHA-256: 10473caf7ed9a1c02339e86ab79d7327906e69e8476dd17b20e3d09f2f16963e
Preview script
First 1,000 lines of the extracted script
this.getField("ant.a.head.d_rec_office_brd").value="Bundesamt f�r Finanzen\nFriedhofstr. 1\n53225 Bonn";
javascript_obj0691_007.js pdf-javascript-stream PDF /JS object 691 at offset 0x8845 44 bytes
SHA-256: 1ca008e62fc016e30b45edf299933cf9d4e93eb9c8acc8adb5789b4f5535d9fe
Preview script
First 1,000 lines of the extracted script
event.change=event.change.toUpperCase();
javascript_obj0694_008.js pdf-javascript-stream PDF /JS object 694 at offset 0x89DA 207 bytes
SHA-256: b20172f81f998aff55b5de87581db3d0552c484fa7ef869bfd83e64954d4681a
Preview script
First 1,000 lines of the extracted script
var a=/\d{7}/
if (event.value!="")
{
	if (a.test(event.value)==false || AFMakeNumber(event.value)<=0)
	{
		app.alert("Invalid identification number",1,0,"VAT Application");
		event.rc=false;
	}
}
javascript_obj0696_009.js pdf-javascript-stream PDF /JS object 696 at offset 0x8B48 195 bytes
SHA-256: c188933f4f178c80abe8de126901f22bfe222df7f99e6f5578f5d5e1fe71a2cd
Preview script
First 1,000 lines of the extracted script
if (event.value!="")
{
	if (allowed.indexOf(event.value.substr(0,1))==-1)
	{
		app.alert("The input has to start with a letter or a number",1,0,"VAT Application");
		event.rc=false;
	}
}
javascript_obj0700_010.js pdf-javascript-stream PDF /JS object 700 at offset 0x8DF4 240 bytes
SHA-256: 25d69d7d388afed07b4ea2ce457c74b01e33978444aeb331b99f9d8ebeafab13
Preview script
First 1,000 lines of the extracted script
var a=/\d/
if (event.value!="")
{
	for (b=0;b<event.value.length;b++)
	{
		if(a.test(event.value.substr(b,1))==false)
		{		
			app.alert("Only numbers are allowed!",1,0,"VAT Application");
			event.rc=false;
			break;
		}
	}
}
javascript_obj0701_011.js pdf-javascript-stream PDF /JS object 701 at offset 0x8F34 39 bytes
SHA-256: cf3ef38cead83f4b1b39c7a061c8fef2c62d068861252a2b5ba7c0b959eec058
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(2, 2, 0, 0, "", false);
javascript_obj0702_012.js pdf-javascript-stream PDF /JS object 702 at offset 0x8F84 42 bytes
SHA-256: a22e7a3e6dbfb6427839e3a2fdcab1be9d58bdd666536d5308358ec98c59feed
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(2, 2, 0, 0, "", false);
javascript_obj0703_013.js pdf-javascript-stream PDF /JS object 703 at offset 0x8FD7 76 bytes
SHA-256: 45390d8de9aada4edf972e272e2a84c8a1ca674cbec47538eb8a32fe7bb08ba8
Preview script
First 1,000 lines of the extracted script
if (event.value!="" && event.value.length<2){event.value="0"+event.value;}
javascript_obj0704_014.js pdf-javascript-stream PDF /JS object 704 at offset 0x904E 78 bytes
SHA-256: 1fc741b1822ba7673bc33c1bd32cde4460fc496f273ae306bdf740d93bb9d3be
Preview script
First 1,000 lines of the extracted script
if (event.value!="" && event.value.length<2){event.value="0"+event.value;}
javascript_obj0707_015.js pdf-javascript-stream PDF /JS object 707 at offset 0x921A 78 bytes
SHA-256: f9ba8ecc8047f39063398bd904012d1b38821ec448e7efb2486870a874b3743d
Preview script
First 1,000 lines of the extracted script
if (event.value!="" && event.value.length<2){event.value="0"+event.value;}
javascript_obj0718_016.js pdf-javascript-stream PDF /JS object 718 at offset 0xB471 1075 bytes
SHA-256: e4ac14492cf504c432d344255c4af84f939a623c5eaf17f271815d08b57922f4
Preview script
First 1,000 lines of the extracted script
/*Ubiquity*/
var needsUpdate = 0;
if (app.viewerType == "Exchange" && app.viewerVariation=="Fill-In")
    needsUpdate = 1;
else if (app.viewerType == "Reader")
{
    if (app.viewerVersion >= 5.1)
        needsUpdate = 0;
    else if (app.viewerVersion < 5)
        needsUpdate = 1;
    else
    {
        needsUpdate = 1;
        var aPlugins = app.plugIns;
        var nPlugins = aPlugins.length;
        for (var iPlugin = 0; needsUpdate && iPlugin < nPlugins; ++iPlugin)
        {
            if (aPlugins[iPlugin].name == "SVG")
                needsUpdate = 0;
        }
    }
}
if (needsUpdate)
{
    var ans = app.alert("To use all the features of this document,\nyou must use Acrobat Reader 5.1 or later\nor Acrobat 5.0.5 or later.\n\nBecause you have an older version, or\nAcrobat Approval, some features will not work.\n\nClick OK to download the latest version of\nthe free Acrobat Reader, which will enable\nthe additional features of this document.\n", 1, 1);
    if (ans == 1)
        this.getURL("http://www.adobe.com/products/acrobat/readstep.html", false);
}
javascript_obj0012_017.js pdf-javascript-stream PDF /JS object 12 at offset 0xDE32 38 bytes
SHA-256: ff0b1e0798b55aee9e494d4b5046c0d747ee05557796f33002cd8f8168a10b67
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 3, 0, 0, "", true);
javascript_obj0047_019.js pdf-javascript-stream PDF /JS object 47 at offset 0x10893 41 bytes
SHA-256: 5b4e1a57bf6476c87a1db4d415eeb42e1477d446a4236b8ae4189d3d8f669dde
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 3, 0, 0, "", true);
javascript_obj0074_020.js pdf-javascript-stream PDF /JS object 74 at offset 0x1B548 203 bytes
SHA-256: ba24c46dcdc6ec0cc1539c4f72822f7b6447df99fd7c9ed5ed5df2ec37c25147
Preview script
First 1,000 lines of the extracted script
if (event.value>99999999999.99)
{
	app.alert("VAT Value too high",1,0,"VAT Application");
	event.rc=false;
}
event.value=(Math.floor((event.value*100))/100);
if (event.value==0) {event.value="";}
javascript_obj0103_022.js pdf-javascript-stream PDF /JS object 103 at offset 0x1CDC7 41 bytes
SHA-256: 6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(2, 2, 0, 0, "", true);
javascript_obj0169_023.js pdf-javascript-stream PDF /JS object 169 at offset 0x1FFC8 94 bytes
SHA-256: e192c0bc8c01da4d26b1d85492ed5d2ab826bdeae06c2fe1cb0d9130882e3cce
Preview script
First 1,000 lines of the extracted script
this.getTemplate("APX").spawn(this.numPages,true,false);
lfd_calc();
calc();
cmd_off();
javascript_obj0177_025.js pdf-javascript-stream PDF /JS object 177 at offset 0x2060A 38 bytes
SHA-256: dd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(2, 2, 0, 0, "", true);
javascript_obj0353_030.js pdf-javascript-stream PDF /JS object 353 at offset 0x26D4C 92 bytes
SHA-256: fff67e95ee85b0714649792bbee5edcce5f62654d6c6a70660cf20f656433516
Preview script
First 1,000 lines of the extracted script
this.getTemplate("APX").spawn(this.numPages,true,false);
lfd_calc();
calc();
cmd_off();
javascript_obj0604_031.js pdf-javascript-stream PDF /JS object 604 at offset 0x1BC4 1198 bytes
SHA-256: b7f90a3bfe074152325ae69bee33e8429080609932fdb39b438b508280ae9f54
Preview script
First 1,000 lines of the extracted script
function vz(f5a1, f5a2, f5b1, f5b2)
{
	var flag=1;
	if ((f5b1>AFMakeNumber(util.printd("mm", new Date())) && f5b2>=AFMakeNumber(util.printd("yy", new Date()))) || (f5b1<=AFMakeNumber(util.printd("mm", new Date())) && f5b2>AFMakeNumber(util.printd("yy", new Date()))))
		{
			app.alert("Refund period cannot be set to future periods!",1);
			flag=0;
			this.pageNum=0;
		}
		else
		{
			if (f5b1!=12)
			{
				if (f5a1>f5b1 || f5a1>12 || f5b1>12)
				{
					app.alert("Invalid refund period!",1);
					flag=0;
					this.pageNum=0;					
				}
				else
				{
					if ((f5a1+1)>=f5b1) 
					{
						app.alert("The refund period doesn't cover at least 3 months",1);
						flag=0;
						this.pageNum=0;					
					}
				}
			}
		}		
	if (flag==1)
	{
		var ret=app.alert("You have completed the application.\nYou can send the application via Elster.\n\Further editing of this application will not be possible!",1,2,"VAT Application");
		if (ret==4)
		{
			finalize();
			serial();
			//printit();
			this.getField("elster_start").hidden=false;
			this.getField("elster_create").hidden=false;
			this.pageNum=0;
		}
		else
		{
			flag=0;
			return;
		}
	}
}
javascript_obj0605_032.js pdf-javascript-stream PDF /JS object 605 at offset 0x1E13 278 bytes
SHA-256: eac718632efe3b62333489e7aa8d857c9760ef9fdcbaa514e1d6b6d828e0db71
Preview script
First 1,000 lines of the extracted script
function printit()
{
	this.getField("version").value="1. Ausfertigung f�r das Bundesamt f�r Finanzen - Bonn -";
	this.print({bUI: false, bSilent: true});
	this.getField("version").value="2. Ausfertigung f�r den Antragsteller";
	this.print({bUI: false, bSilent: true});
}
javascript_obj0606_033.js pdf-javascript-stream PDF /JS object 606 at offset 0x1F04 782 bytes
SHA-256: b0c0986af174d3f6682c7c0b9ca454f59361a55f0747befa0dbbe9ecf1e206ec
Preview script
First 1,000 lines of the extracted script
function copy2()
{
	if (event.target.name.substr(-1,1)=="0")
	{	
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".fa_value"+event.target.name.substr(-1,1)).value=this.getField("P"+(AFMakeNumber(event.target.name.substring(1,event.target.name.indexOf(".")))-1)+".APX.row9.fa_value9").value;
	}
	else
	{
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".fa_value"+event.target.name.substr(-1,1)).value=this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+((AFMakeNumber(event.target.name.substr(-1,1)))-1)+".fa_value"+((AFMakeNumber(event.target.name.substr(-1,1)))-1)).value;
	}
}
javascript_obj0607_034.js pdf-javascript-stream PDF /JS object 607 at offset 0x2025 1236 bytes
SHA-256: 4b0473c2e3784a39852d6209523df8ed1d4b4d2f27da8a9ed8ed535bbfc32671
Preview script
First 1,000 lines of the extracted script
function copy1()
{	
	if (event.target.name.substr(-1,1)=="0")
	{
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".ba_art").value=this.getField("P"+(AFMakeNumber(event.target.name.substring(1,event.target.name.indexOf(".")))-1)+".APX.row9.ba_art").value;
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".ca_name").value=this.getField("P"+(AFMakeNumber(event.target.name.substring(1,event.target.name.indexOf(".")))-1)+".APX.row9.ca_name").value;
	}
	else
	{	
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".ba_art").value=this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+((AFMakeNumber(event.target.name.substr(-1,1)))-1)+".ba_art").value;
		this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+event.target.name.substr(-1,1)+".ca_name").value=this.getField("P"+event.target.name.substring(1,event.target.name.indexOf("."))+".APX.row"+((AFMakeNumber(event.target.name.substr(-1,1)))-1)+".ca_name").value;
	}
}
javascript_obj0608_035.js pdf-javascript-stream PDF /JS object 608 at offset 0x2152 324 bytes
SHA-256: 7fcd2728038da9e6e6c3085f59c15b7574ee95427088b2e7c191240d4193d531
Preview script
First 1,000 lines of the extracted script
function cmd_off()
{
	for (var a=2; a<this.numPages; a++)
	{
		if (a>2)
		{
			this.getField("P"+(a-1)+".APX.export").hidden=true;
			this.getField("P"+(a-1)+".APX.new").hidden=true;
		}
		else
		{
			this.getField("P"+a+".APX.export").hidden=true;
			this.getField("P"+a+".APX.new").hidden=true;
		}	
	}	
}

Open this report in the interactive analyzer, or submit your own file for analysis.