Malicious PDF — malware analysis report

Static analysis result for SHA-256 d26f2a57a6147d45…

MALICIOUS

PDF

220.5 KB Created: 2010-03-03 03:42:28 +08:00
MD5: 6e79671c3393f09e6fe5c5801f7df67b SHA-1: c570c4aaf37036336a72eae44b0e118c4423473f SHA-256: d26f2a57a6147d450d94477d5f4a5be31536000c7e4374a49913e97679cffeac
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded JavaScript and an embedded file named 'bin_adobeupdate.wav', suggesting it's designed to execute malicious code or download further payloads. The 'Image-only document with action trigger' heuristic indicates a common phishing lure technique where a visual element hides a malicious click-outward action. The embedded file 'bin_adobeupdate.wav' is a strong indicator of a dropped payload.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 220 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xFC8 1465 bytes
embedded_file_obj0003.bin
75b1b32ce086dcfb46ad5ad812bcac90dbc30017591e95d16cc14e8406c61fbf		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1283 986 bytes
embedded_file_obj0005.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x14D1 2928 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x183E 200 bytes
embedded_file_obj0007.bin
1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1931 835 bytes
embedded_file_obj0123.bin
bb76e51bb8b760432fa497d467a6211dbad4e19a09c332250c9ac2b240d23f80		 pdf-embedded-file PDF EmbeddedFile object 123 at offset 0x14C5C 291 bytes
bin_adobeupdate.wav
4c92fa78e09cab2a358daac5ceffdf9346faa05ad5524c474f53ba256037c0df		 pdf-embedded-file PDF EmbeddedFile object 135 at offset 0x15F79 135183 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
javascript_obj0092_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 92 at offset 0x323A 1946 bytes
stream_012_off000029ca.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29CA 1532 bytes
stream_013_off00002bb5.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BB5 870 bytes
objstm_0126_00.bin
ba08ce675f5a4edd23a5e7004fab9b39cd9f4a22a78e3315f0f79ca8628e5b98		 pdf-objstm-decoded PDF /ObjStm 126 0 obj (inflated) 1974 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.