Malicious PDF — malware analysis report

Static analysis result for SHA-256 d392c0c3ef37da23…

MALICIOUS

PDF

4.98 MB
MD5: 8e5a6ca214d1df87e1e03c024073ad87 SHA-1: 7f787bed34d8d954d6178162634cccfd533142cc SHA-256: d392c0c3ef37da23f9c9fc5efbf44a6e27e8aca057b9fbe65d338315840c9536
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1539 Steal or Harvest Data T1078 Valid Accounts

The PDF contains an embedded script payload and multiple heuristics indicate malicious intent. Specifically, the document lures the user with urgency and requests for MFA codes or recovery secrets, which are high-risk lures. It also contains instructions for executing commands via LOLBins. The embedded script and the nature of the lures suggest an attempt to harvest credentials or session tokens.

Heuristics 11

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://www.extensis.com/meta/FontSense/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00104851.bin
748aa82b1245413bef2e19b9ccc2ea2387314c878e9b862b0d839aaa4cb1b9cc		 pdf-embedded-script PDF decompressed stream script payload at offset 0x104851 9489 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 shell/COM execution token(s).
font_00_cff_off000db952.bin
af9afcd67e9eeb4430844c40b2fa711ab53bab642aab5b89dca83f873590e2f1		 pdf-font-stream PDF embedded font (cff) at offset 0xDB952 1718 bytes
font_01_cff_off000dbfeb.bin
0b448e2ad9f1991caf076f8cde59a43db33ef0fdf16c861b8160dd7d11d1410e		 pdf-font-stream PDF embedded font (cff) at offset 0xDBFEB 4511 bytes
font_02_cff_off000dcea6.bin
ba51813b161ab6038fceee7c56ac2430bdd013fbd798b770aff0a8d56d4df830		 pdf-font-stream PDF embedded font (cff) at offset 0xDCEA6 5008 bytes
font_03_cff_off000ddec5.bin
4a31bb567ef785b648df2524b626d7d3cea2de5af57591011691ee2a7ace80b6		 pdf-font-stream PDF embedded font (cff) at offset 0xDDEC5 789 bytes
font_04_cff_off000e43a1.bin
edb4558428130c26a55aed01397a356e04f663a42f1644318c803ecd52dbd439		 pdf-font-stream PDF embedded font (cff) at offset 0xE43A1 2420 bytes
font_05_cff_off000e4bfa.bin
f2ad6280b5dfd6b74a31e29bce798db6e46fe7bdb31706ece9041ae38a1c0739		 pdf-font-stream PDF embedded font (cff) at offset 0xE4BFA 2859 bytes
font_06_cff_off000eb664.bin
4fedc625ffcc901ca59f08c5a93f168246feea85ef2d8b4056f721d513ce35bf		 pdf-font-stream PDF embedded font (cff) at offset 0xEB664 1749 bytes
font_07_cff_off000ebcbd.bin
4a58fcc12cafbee1e8fe6e1135a6dd551f59c6966864984367d5c80589052236		 pdf-font-stream PDF embedded font (cff) at offset 0xEBCBD 5123 bytes
font_08_cff_off000ecd56.bin
41c036018e5f03fd9d346f9bed6d11607799cc29b026fb413368a06b3878beca		 pdf-font-stream PDF embedded font (cff) at offset 0xECD56 2161 bytes
font_09_cff_off0012af59.bin
6e10ccabf7ba6588816609200d1056bcf043e037b8ddff73ba8d3bcff3c9b4b9		 pdf-font-stream PDF embedded font (cff) at offset 0x12AF59 414 bytes
font_10_cff_off0017dce6.bin
08e52b42953a9c3e12230c8e3398ea7fb596884d40addd6568843f0482564a79		 pdf-font-stream PDF embedded font (cff) at offset 0x17DCE6 1236 bytes
font_11_cff_off003f9784.bin
8b8bb61925c499491cf6b7dd59fcc6ed82064372bc97c603c78f6d423889733a		 pdf-font-stream PDF embedded font (cff) at offset 0x3F9784 966 bytes
font_12_cff_off0047d8ba.bin
ce2dfc60d30133a89f75c1066f3a5b8e3f5f55b7233af5548f0e4dbdbd89509f		 pdf-font-stream PDF embedded font (cff) at offset 0x47D8BA 3212 bytes
font_13_cff_off0047e5cd.bin
bcb845c9394c41f01cd0c0527e489250f3ebd05d0a41844a97b7b8a40d82a0f3		 pdf-font-stream PDF embedded font (cff) at offset 0x47E5CD 440 bytes
font_14_cff_off0047e8d3.bin
e0ec761cef7d2a18c6de378ff3112321dbe06968258f06646e29aba1318d29b2		 pdf-font-stream PDF embedded font (cff) at offset 0x47E8D3 488 bytes
font_15_cff_off0047ec25.bin
de1d0fd38ef49680c3f97a59d36960017fc80d1bd723547af77fa966ff569b34		 pdf-font-stream PDF embedded font (cff) at offset 0x47EC25 1197 bytes
font_16_cff_off004a272d.bin
fc2a68606e7770450af7cf51a8a4aee4897919f9fdeb14cd18761381c0955283		 pdf-font-stream PDF embedded font (cff) at offset 0x4A272D 4533 bytes
font_17_cff_off004a382d.bin
22f4b403c583f4d83a2e3fc004b3916553e62ae8f497c68964affd24d8462415		 pdf-font-stream PDF embedded font (cff) at offset 0x4A382D 10628 bytes
font_18_cff_off004a5b08.bin
dd8848ab66c9ade9cc1f091d6f91da40bbba6f1f107deb3c4ff5828cf44de27d		 pdf-font-stream PDF embedded font (cff) at offset 0x4A5B08 2916 bytes
font_19_cff_off004a64e6.bin
414cb072427e203c93d71b59fa6e09ca5c061bdc77834e4d58367da6cb0d5724		 pdf-font-stream PDF embedded font (cff) at offset 0x4A64E6 3016 bytes
font_20_cff_off004a6e42.bin
78803c16d9c6bb0b99bda72674aac381f63cfd039d8106351c1c9ce1b69055e1		 pdf-font-stream PDF embedded font (cff) at offset 0x4A6E42 6077 bytes
font_21_cff_off004a83e2.bin
356a99c5c134d8618c53ef58efd4148b5a9ab7e8efe2d5f26feda1892f8886e4		 pdf-font-stream PDF embedded font (cff) at offset 0x4A83E2 11203 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_22_cff_off004ab14d.bin
43c7e49409ae526f05bb0f963dbb0a04e23e698146890e64db9617c825561038		 pdf-font-stream PDF embedded font (cff) at offset 0x4AB14D 3423 bytes
font_23_cff_off004abf9b.bin
74ad099ea135dd32602247b5aeead46d1f0721638dbba4c0d25e8668bed8f5f5		 pdf-font-stream PDF embedded font (cff) at offset 0x4ABF9B 4435 bytes
font_24_cff_off004d927e.bin
8bfe6ddced6fa88016c1040293345f1586c07f0f678c3432ab26c15e9005d231		 pdf-font-stream PDF embedded font (cff) at offset 0x4D927E 7960 bytes
font_25_cff_off004dbdb8.bin
37249032dbe1c2d486b7c8da30deacc1c0c8ee761529db7363ce349f719ec44e		 pdf-font-stream PDF embedded font (cff) at offset 0x4DBDB8 4939 bytes
font_26_cff_off004df9fb.bin
ad200b7aa8c5dc789b33ad9911f2f3349877a590ededa36917e5ad294a3bac75		 pdf-font-stream PDF embedded font (cff) at offset 0x4DF9FB 4294 bytes
font_27_cff_off004e0b00.bin
ed4c5cbb66f37cb80aaee174375082b27a493768370374b16d35d7aae15bcff6		 pdf-font-stream PDF embedded font (cff) at offset 0x4E0B00 5451 bytes
font_28_cff_off004e1eb2.bin
e5bc0a2154b3a46424f7216ba63837ac4683eb3919302c2e356c85e7f748ff22		 pdf-font-stream PDF embedded font (cff) at offset 0x4E1EB2 3636 bytes
font_29_cff_off004e2ba9.bin
3641a805d2f31c3b63f847f997a3d05e21bbb3f206df6fe73362e2595c51eab5		 pdf-font-stream PDF embedded font (cff) at offset 0x4E2BA9 835 bytes
font_30_cff_off004eb13c.bin
a0b7b1e9cc06b651d09067cb689ceb9cfc5d23384fd7b26e97075c43e682a460		 pdf-font-stream PDF embedded font (cff) at offset 0x4EB13C 5525 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.