Malicious PDF — malware analysis report

Static analysis result for SHA-256 d77f196114a31ede…

MALICIOUS

PDF

272.8 KB Created: 2009-05-11 10:08:39 +03:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: 35cd657d082d855b6662f433626d01e7 SHA-1: bba33b80acb8347813fa4e537bae04a2cfeaf09c SHA-256: d77f196114a31edef031705ee34d81335b804c3bc4b342e23d3ac6d77a256eaa
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains embedded JavaScript and a SubmitForm action, indicating an attempt to interact with external resources. The presence of an embedded script payload and the use of unescape() suggest the execution of malicious code. While the document body is unreadable, the heuristics point towards a downloader or exploit delivery mechanism. The embedded file 'embedded_file_obj0010.bin' and the JavaScript file 'javascript_obj0207_001.js' are likely components of the malicious payload.

Heuristics 10

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://crl.adobe.com/prodSvce.crl0
    • https://www.adobe.com/misc/pki/prod_svce_cps.html0
    • http://crl.adobe.com/cds.crl0���~�|�z0x1
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 20

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
dc5340ca6b8faa6e248a740e920df7c0eb2bd05e99bdb59be07b72db43557153		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x1FA4 162 bytes
embedded_file_obj0009.bin
606d512836d3eeec7f64a82d49963e8a0c0e609a462440dfb0a441983d6b9ae2		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x2093 2226 bytes
embedded_file_obj0010.bin
d6e376e98576f857784df370e74358e4e5740db25f90fef09817d69015230b7f		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x243C 60203 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0011.bin
8cc670d8d2f8fc6f4f0ebb1794bca1ba2e56b946a3f546d9b64c97b97d6104e7		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x45EB 2967 bytes
embedded_file_obj0012.bin
86b509487430fe2684e4c72fc9e0a07cc57145983a916b237d13a384b6b32322		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x496A 871 bytes
embedded_file_obj0013.bin
ca28a4c9a405031892afb9851e38dcdc3db5b47daca8773a021830cd791c1216		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x4A59 1535 bytes
embedded_file_obj0014.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x4D1E 80 bytes
embedded_file_obj0015.bin
81dd4e4a7f54fef2f09b8de7ee71036db7ea020657b0d07cc7fab7e4482af11d		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x4DC9 233 bytes
embedded_file_obj0377.bin
fa7ad477d12c8e6ea4200dd528a03d0cff54efc2a694ac5eeb4f5eb65208ad51		 pdf-embedded-file PDF EmbeddedFile object 377 at offset 0x3FBCF 1887 bytes
embedded_file_obj0378.bin
4bd65eafcdb262e6a7eb278af3ae4be7b1a9ca650f86f4c6a2d2afd621c3700b		 pdf-embedded-file PDF EmbeddedFile object 378 at offset 0x3FD94 1814 bytes
javascript_obj0196_000.js
4a3be1c97fa660c78458adbf8467d9ef0ece4b4be6574ddb6a76861e566be29f		 pdf-javascript-stream PDF /JS object 196 at offset 0x94DD 999 bytes
javascript_obj0207_001.js
134dcea3245a20a641ef7275cb3bef9d6455db27e7caac2bd70f3663f8b3b24f		 pdf-javascript-stream PDF /JS object 207 at offset 0xB646 11503 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0208_002.js
f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf		 pdf-javascript-stream PDF /JS object 208 at offset 0xBFAD 1313 bytes
javascript_obj0209_003.js
1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd		 pdf-javascript-stream PDF /JS object 209 at offset 0xC18F 902 bytes
javascript_obj0210_004.js
826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f		 pdf-javascript-stream PDF /JS object 210 at offset 0xC2ED 2795 bytes
font_00_cff_off00000937.bin
87f6821ea7e5d41d56f8cc2a939bb40ac9487c6df45bf2376e6adbc768081f58		 pdf-font-stream PDF embedded font (cff) at offset 0x937 3907 bytes
font_01_sfnt_off00012890.bin
c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12890 95975 bytes
font_02_cff_off0002479e.bin
25316e6ef10fae455d1fcf7c92093ea2df713d3b40f605eecd85b19811c47a57		 pdf-font-stream PDF embedded font (cff) at offset 0x2479E 6013 bytes
font_03_cff_off00026129.bin
e7ba48e2b8c5bace9783e2b6d2ca0e14b1f7e0d0461106328735597ec4e6e906		 pdf-font-stream PDF embedded font (cff) at offset 0x26129 10178 bytes
font_04_cff_off000288c1.bin
ffa5ec5d4b5102547c14deba45374e016cb7342407dbd297fcafd421ec30b280		 pdf-font-stream PDF embedded font (cff) at offset 0x288C1 8997 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.