PDF malware analysis — malicious · d4195788c26dc01a

MALICIOUS

PDF

122.8 KB Created: 2010-03-12 05:57:43 +08:00

MD5: 3fe0ba30e0e34a0a5d58fe3a701d0357 SHA-1: 3ab0398991f32ac27442023853330079728a4c8f SHA-256: d4195788c26dc01a1c766a9c2ddfeea7e89661b4f3b03341f908c49504460f48

74 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document is identified as a phishing lure due to its image-heavy nature and embedded click-outward action. It contains embedded files, including 'bin_adobeupdate.wav' and 'bin_adobeupdate_1.wav', which are suspicious artifacts. The presence of JavaScript actions and embedded JS streams suggests an attempt to execute malicious code, likely to download a second-stage payload.

Heuristics 8

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 122 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0002.bin` `52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0xFC9	1465 bytes
`embedded_file_obj0003.bin` `af16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x1284	973 bytes
`embedded_file_obj0005.bin` `226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x14D2	2928 bytes
`embedded_file_obj0006.bin` `4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x183F	200 bytes
`embedded_file_obj0007.bin` `1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x1932	835 bytes
`bin_adobeupdate.wav` `c29d09c36bd2a54132708e214e140c0f3481c40a9da403180068c56ed1a6278a`	pdf-embedded-file	PDF EmbeddedFile object 117 at offset 0x3D5E	79045 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`embedded_file_obj0121.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 121 at offset 0x146D6	85 bytes
`embedded_file_obj0122.bin` `ae87615dd41823179ad70e190adebc5bde94d009e71ee59688ea0180234e555f`	pdf-embedded-file	PDF EmbeddedFile object 122 at offset 0x1478B	11882 bytes
`embedded_file_obj0123.bin` `d21ca335229dd674f45251c3a4138ff4e1ebf624e9d1c678b61c4a2dfa1e0172`	pdf-embedded-file	PDF EmbeddedFile object 123 at offset 0x14C60	291 bytes
`bin_adobeupdate_1.wav` `e38d0ea780fcd2f4ac51c2bced888f6a6ed4301c153543f9272190906b9697e5`	pdf-embedded-file	PDF EmbeddedFile object 135 at offset 0x15F7F	35132 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`javascript_obj0092_000.js` `97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61`	pdf-javascript-stream	PDF /JS object 92 at offset 0x323B	1946 bytes
`stream_013_off000029cb.js` `f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x29CB	1532 bytes
`stream_014_off00002bb6.js` `4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2BB6	870 bytes
`objstm_0126_00.bin` `ba08ce675f5a4edd23a5e7004fab9b39cd9f4a22a78e3315f0f79ca8628e5b98`	pdf-objstm-decoded	PDF /ObjStm 126 0 obj (inflated)	1974 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.