Malicious PDF — malware analysis report

Static analysis result for SHA-256 da347bc56b68f452…

MALICIOUS

PDF

1.36 MB Created: 2011-12-05 09:24:17 -08:00 Authoring application: Adobe Illustrator 15.0 (via Acrobat Distiller 9.4.6 (Windows))
MD5: 22acd7ab7118021cce1acec1723d16fc SHA-1: 8abe58d396cd3616cf17271c9ab006f0a9b5bab8 SHA-256: da347bc56b68f452bb670280cda90fce88bb8c2824663d753c9f698b3a9640b3
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The PDF file contains multiple JavaScript objects and actions, indicating malicious intent. Specifically, a PDF JavaScript action is configured to submit form data to 'http://www.sdvote.us/EVRfill.asp#FDF', suggesting an attempt to exfiltrate user-submitted data or credentials. The presence of a callback lure also points towards a phishing or social engineering attack. The CCITTFaxDecode heuristic related to CVE-2010-0188 suggests a potential exploit for that vulnerability.

Heuristics 9

  • CCITTFaxDecode + active content — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • PDF JavaScript submits form data to external URL high PDF_JS_SUBMITFORM_URL
    PDF JavaScript calls submitForm() with an external HTTP(S) URL. This can send form/document context to a remote endpoint or route the user into a credential-phishing flow. It is a behavioral indicator, not a parser exploit signal.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.aipca.org/
    • http://www.cagop.org/
    • http://www.peaceandfreedom.org/
    • http://www.ca-dem.org/
    • http://www.cagreens.org/
    • http://www.americanselect.org/
    • http://www.lp.org/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/xap/1.0/g/

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0089_000.js
2bc89384cc9a988fdfbe42c9577794a652ace538919b64438c3dd2a5014aa8d3		 pdf-javascript-stream PDF /JS object 89 at offset 0xC33F7 37 bytes
javascript_obj0094_001.js
2011a45da6afd639a0c336a612fe121ae6aaf1b2b534752b8cd3db427fb8d23e		 pdf-javascript-stream PDF /JS object 94 at offset 0xC3587 168 bytes
javascript_obj0095_002.js
fdb8f935c76a7a6a0d35542360b5ef1ef2f7a0fb4bd58d956e352dfa36ee1891		 pdf-javascript-stream PDF /JS object 95 at offset 0xC3660 39 bytes
javascript_obj0096_003.js
fa415cb903283b36d0cc304c2168f3ddeb7b31d347928c167df83d93c9dfd88c		 pdf-javascript-stream PDF /JS object 96 at offset 0xC36B2 150 bytes
javascript_obj0097_004.js
13314674192b352128f1f3f7ba5e44b1f1440373044c4c2967b176c75fcba027		 pdf-javascript-stream PDF /JS object 97 at offset 0xC377B 37 bytes
javascript_obj0099_005.js
d7feabbe96d6239a4e68846c17660c84111cd34df235720909593806041f8a24		 pdf-javascript-stream PDF /JS object 99 at offset 0xC38E2 42 bytes
javascript_obj0100_006.js
6b7cde5083353dc94a728e784406248df1e3c34b8a1b86c325dca7d6822fc92b		 pdf-javascript-stream PDF /JS object 100 at offset 0xC3935 39 bytes
javascript_obj0103_007.js
24cd42d2a79d989f9c777731e5f784b1a439f2f53c22e3cd9fdcad2d8fd8527e		 pdf-javascript-stream PDF /JS object 103 at offset 0xC3AC7 104 bytes
javascript_obj0261_010.js
1e91d318b0b17d25e9520ad0f91c01f01ae562b71670257f350760a6c9ded266		 pdf-javascript-stream PDF /JS object 261 at offset 0xC77C4 183 bytes
javascript_obj0262_011.js
8bd8dd372fc326d06c6a282d7bdf145d9bd8457b6f1bbe6866f77015b570e31f		 pdf-javascript-stream PDF /JS object 262 at offset 0xC78B6 41 bytes
javascript_obj0263_012.js
b49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233		 pdf-javascript-stream PDF /JS object 263 at offset 0xC790B 33 bytes
javascript_obj0264_013.js
856c541a6d43f0ec99b33b483ed39776ee4651444f6d7171156edf70f1a665a0		 pdf-javascript-stream PDF /JS object 264 at offset 0xC7956 58 bytes
javascript_obj0278_015.js
894cd4835ae6fe1c62a445ab4356ddf29a36f8f6ea6b07bad24318ddcb27647a		 pdf-javascript-stream PDF /JS object 278 at offset 0xC8038 36 bytes
javascript_obj0281_016.js
796be083fc23249f3609bffc3356a3b4e8ee6f0af58b864030b57592731fd879		 pdf-javascript-stream PDF /JS object 281 at offset 0xC8128 38 bytes
javascript_obj0367_018.js
3ecbee86871189e9676de5f1a6743967b6cf3b0b6c5e9d095dd1658df2751cff		 pdf-javascript-stream PDF /JS object 367 at offset 0x104EC8 250 bytes
javascript_obj0098_019.js
58979f94dbea259cacaf0f40856f7b24fd883d224d105642b0b47c9f969db58d		 pdf-javascript-stream PDF /JS object 98 at offset 0xC37CB 316 bytes
javascript_obj0102_020.js
10e7cc943b2a0abe39f44792832303e5ad79dcc848e16ad54818ad3c67974162		 pdf-javascript-stream PDF /JS object 102 at offset 0xC39B3 315 bytes
javascript_obj0105_021.js
c95b59b80ec2b276cf186723c8d577ef65154c3544ef226e48eb7d304bcc0e0e		 pdf-javascript-stream PDF /JS object 105 at offset 0xC3B8D 579 bytes
javascript_obj0255_022.js
83301a34b8de9d1d57f81debb30c647a22cb42b790155236533f028f8bd82b6e		 pdf-javascript-stream PDF /JS object 255 at offset 0xC75BA 586 bytes
javascript_obj0267_023.js
7f68905d3ffc5bf7a79b86e6f14967644d95312b5ab4d5d6ad8f4e7124b4a85c		 pdf-javascript-stream PDF /JS object 267 at offset 0xC7A59 310 bytes
javascript_obj0271_024.js
5d15eb84b9878860bd75e6a624fcd2a053e5a3b4f8bb754108092586585b34e0		 pdf-javascript-stream PDF /JS object 271 at offset 0xC7C40 311 bytes
javascript_obj0274_025.js
a461429ebd1cffae2901f17808dd9864ac54383c6b21fed9d9d5d27062a749ce		 pdf-javascript-stream PDF /JS object 274 at offset 0xC7E19 527 bytes
javascript_obj0372_026.js
f653e210f75fb350c03029f310c8223318d358f2f347443b3267be5b362955a0		 pdf-javascript-stream PDF /JS object 372 at offset 0x10505B 494 bytes
javascript_obj0438_027.js
f8eddd58bdafdbf1b33206c59a3238f88c0c8d20209c697b93e95bbca356569e		 pdf-javascript-stream PDF /JS object 438 at offset 0x145B3D 1942 bytes
stream_002_off00000ee8.bin
51b08af1fa0732b06ed0ab6601e6b9c4b00a865e4e744326c67ea79995e01dd9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEE8 11390 bytes
stream_107_off000c968c.bin
1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC968C 352198 bytes
stream_120_off00116e17.bin
a7e4ac807b2e5b1332b56be3155f2a4088041a81941cdb4e24ce88d59f0bfb9c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x116E17 34650 bytes
objstm_0470_00.bin
fc9ba68b495353e1e99027bdff552398d6902332379a6253c1f2fcefe2573712		 pdf-objstm-decoded PDF /ObjStm 470 0 obj (inflated) 10818 bytes
icc_00_off00105a7d.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x105A7D 3144 bytes
font_01_sfnt_off0010943c.bin
ad27dba2b6b742971f6bc21cc0f5d0436520bbdd568e7a08bf82ebfc81c2ec8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10943C 34828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.