Win.Trojan.Mybot-282 — PDF malware analysis

Static analysis result for SHA-256 da02de2b1287d07d…

MALICIOUS

PDF

1.95 MB
MD5: 1f731abea6ca10a9a01a07f2678f0368 SHA-1: fde204e17a8011dbfc91388147ec272c3e41e01a SHA-256: da02de2b1287d07d39db735dcda8a5e9453db62bc1cdb2ad1a2b3c29d7bf5874
288 Risk Score

Malware Insights

Win.Trojan.Mybot-282 · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that is identified as a WScript downloader. This script is designed to exploit a heap spray vulnerability within the PDF's XFA forms, likely to download and execute a secondary payload. ClamAV detections confirm the presence of Win.Trojan.Mybot-282, indicating a trojan downloader.

Machine Learning

  • Nyx PDF Classifier clean score 0.0099

Heuristics 8

  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • ClamAV: Win.Trojan.Mybot-282 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Mybot-282
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://d.href.asia/nw/d/ck.php?oaparams=2__bannerid=2148__zoneid=1878__cb=1347414661&tid=5492cf2f58d7c3503056db2b00000000&r=http%3A%2F%2Fm.one.impact-ad.jp%2Fclick%2FPZ.qYzE7jvkaUHIK7dSE.rcH9F4cJQrs.l-5clnR0FnCuUsgJi-ZVi3egP7GN-.1SGo0C6fB66.J6hui3fVAdhZ4tNB3vBxnNNCyESMoVwLMK6ZmsG8FPsjnqRGKmkHmFV55Fh5BqO7j4zNeoHCwT0qeSkpoC0WMewPg4.H3UjzdbRD9ITue-6N418A1RF.P-3E6hUTCCOXU2.8mKvOL7p2doBgHRrY0WZFatO4P.TjToE-mNUZYl4T1-5C9L5k1ULJ2Yhk2zsjeYT7sjMqEGoLu0..1lz9s7NS2b6r77adYyFQA3TLI0LtnM6CUav2lQdPFuanuqCylSK5YByCccWRVP6M%3D%2F%2F
    • https://www.netlock.net/docs
    • http://www.usertrust.com1
    • http://www.usertrust.com1+0
    • http://www.spacetown.ne.jp/mebius/lib/t-bit3d/chobi.html
    • http://www.asahikawa-med.ac.jp/hospital/hoshasenbu/qa.html
    • http://imextrades.com/product/xray/dose.htm
    • http://www.mash-japan.co.jp/faq-f/radioactivity/index.html
    • http://www.dableducational.org/
    • http://www.qq.pref.ehime.jp/
    • http://www1.ehime.med.or.jp/emailsetting
    • http://iyo.ehime.med.or.jp
    • http://www1.ehime.med.or.jp/200704/index.html
    • http://www.pref.ehime.jp/sinsei/sosiki.htm
    • http://pingu.iyo.ehime.med.or.jp/dnet/dnet.cgi?[
    • http://www.spacetown.ne.jp/mebius/lib/t-bit3d/chobi.htmlG
    • http://www.trustcenter.de/guidelines0
    • http://www.certplus.com/CRL/class3P.crl0
    • http://www.certplus.com/CRL/class2.crl0
    • http://ca.sia.it/secsrv/repository/CRL.der0J
    • https://ca.sia.it/secsrv/repository/CPS0
    • http://www.valicert.com/1
    • http://www.inf9
    • http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
    • http://ca.sia.it/seccli/repository/CRL.der0J
    • https://ca.sia.it/seccli/repository/CPS0
    • http://www.certplus.com/CRL/class3.crl0
    • http://www.certplus.com/CRL/class1.crl0
    • http://www.certplus.com/CRL/class3TS.crl0
    • http://ad.yieldmanager.com/pixel?id=1625385&t=2
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FFujitsuFMV&width=350&height=230&colorscheme=light&show_faces=true&border_color&stream=false&header=true
    • http://static.ak.fbcdn.net/rsrc.php/v2/yg/r/gM5yyH0Qi3W.css
    • http://static.ak.fbcdn.net/rsrc.php/v2/yV/r/b498bUf3f8c.css
    • http://static.ak.fbcdn.net/rsrc.php/v2/yY/r/XLZ70DrQyew.js
    +51 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off0000a3be.bin
e5ecb74f99ace20650af89aefe83a46cc30881d1e5a9e200ed4cbff2e6ac67df		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA3BE 68336 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
stream_015_off0001a011.bin
9518fb842d484e010366e1eaed8aacc8bcfc6fa09f83def727b9245507631c09		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A011 47415 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
stream_016_off000251f4.bin
557679a2b9a0004c2514c89495f654140a20a51c2fb1d7d51bdfbd844cb008e8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x251F4 142705 bytes
embedded_pdf_script_0013b408.bin
01205f10799a166deb6875e0230d36dc48eee3a823fb5f472676fd51cf8998e2		 pdf-embedded-script PDF decompressed stream script payload at offset 0x13B408 2047912 bytes
Detection
ClamAV: Win.Trojan.Mybot-282
Obfuscation or payload: likely
Carved artifact contains 37 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).
font_00_cff_off00005046.bin
443dafdff9194245273c98d4686d6e84911352c591d715806570071936331e46		 pdf-font-stream PDF embedded font (cff) at offset 0x5046 21905 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.