Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfdd74f81c17df6d…

MALICIOUS

PDF

13.2 KB Authoring application: Python PDF Library 055 http072057057pybrary056net057pyPdf057
MD5: 3547b1a8f2a44a3c5726b8677e27f554 SHA-1: 40abc083551873eeff396faac5858803a4f95e33 SHA-256: cfdd74f81c17df6d121d59f3c7443b285785b8b75000978d67441c91350f758e
64 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The PDF contains embedded JavaScript and RichMedia (Flash) content, indicating an attempt to exploit vulnerabilities. The embedded file 'sploit.swf' is highly suspicious and likely contains the exploit code. While a benign URL was extracted, the presence of these exploit vectors strongly suggests malicious intent.

Heuristics 5

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
sploit.swf
70e6dbce3b11aaece2d38f1d315dee7736c7ab9138a74cdadc8126393c857018		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1062 781 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.