PDF malware analysis — malicious · dbda4d4a7adf61f3

MALICIOUS

PDF

1.57 MB Created: 2010-05-07 23:19:26 +02:00

MD5: a67d975f8859c4b419564debe34c7492 SHA-1: 28c72e78fc7d65777a6c13a5f502905969b72671 SHA-256: dbda4d4a7adf61f39916cb3e3b794b686ccd887548a4800940bfbf4b38fa31d9

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and a heuristic firing indicates a potential exploit related to CVE-2018-4990, which affects JPXDecode. This suggests the document is designed to leverage this vulnerability to execute malicious code. The embedded JavaScript likely attempts to download and execute a second-stage payload, although the exact mechanism is obscured by the PDF structure. The presence of an external URI, though benign, is noted.

Heuristics 7

JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED

PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
External URI info PDF_URI

PDF contains an external URL action
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 28

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000071f.js` `2dabeabb98e96415174f1c953dfac1b7432a0405a962abde8c2f669f6cde538b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x71F	7595 bytes
`stream_023_off00006cc4.bin` `ddc9624e22d24b6fd35f08e76eb9dfce8e65e90a6d5703faadd103c7c85ba30d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x6CC4	884736 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.71, consistent with packed or encrypted content.
`stream_024_off000ca866.bin` `cc59f71a59de4d2aaf0eb5d101d36f7b7237afb0c6796a81beef8e1813c50a54`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCA866	38400 bytes
`stream_025_off000ce957.bin` `d981c7fd42d6f529ec52ce75a7ef8417fcd76b92556a3064ef466a8635a50d64`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCE957	38912 bytes
`stream_026_off000d2a88.bin` `fd7e28fd809ffa6cf6e997df184379e168fe8b9df3c6334714e63a37aca9a9e8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xD2A88	38912 bytes
`stream_027_off000d6d0e.bin` `93fb4767fb7afae62f0fcf6adf56cc49171d758c3ba55d7d87ed498096e56f0f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xD6D0E	38912 bytes
`stream_028_off000daefc.bin` `e40448ab927a1280156d53f18b41342b333758e51ac58fbe746ecd3351293271`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xDAEFC	38400 bytes
`stream_029_off000defc9.bin` `993759daba1831808368208ca745e39492048b7b638f28ee2f5df3f20ca457c6`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xDEFC9	38912 bytes
`stream_030_off000e3175.bin` `b52e867643a8504a6106d84aec7340fb815f5c385a249a88df34bd990ddfb280`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xE3175	39424 bytes
`stream_031_off000e7369.bin` `8323edfa4033a930a31c63fd5a91b0c6528d3876bc1b282d6bc8e409266b10bf`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xE7369	38400 bytes
`stream_032_off000eb488.bin` `6a510337ad3fe7c484da6ab5de692f944b5a93e2542cf6ef8f56f52b60cd2906`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xEB488	38912 bytes
`stream_033_off000ef660.bin` `b312edfa9878c7c12230b6c66eb6fd47282e6c43dd84a1a077d1c97a2f7f4c06`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xEF660	38400 bytes
`stream_034_off000f36c8.bin` `bcefc973e989e11855a6640d69ecefe513182c89d66fea0d713ed9594fd02329`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xF36C8	38912 bytes
`stream_035_off000f77f3.bin` `fda0f2abf4306e988219e7e424bdc3cde3ca9baf1a7c39d1a0340c1a26bc1974`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xF77F3	37888 bytes
`stream_036_off000fb77f.bin` `15c748b3332f95be96d6c80e4ee13a2b950dd0c44f2c64251eff518e80b722b8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xFB77F	38912 bytes
`stream_037_off000ff85a.bin` `01865dc80cc6600de889e0b050f3a746ecc06d2faae0c8f1664c45acb5835e4d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xFF85A	37888 bytes
`stream_038_off00103897.bin` `c5b0144d6430f863196dc722ec2d209701335c5559061b1d93361438dd69187a`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x103897	38400 bytes
`stream_039_off001078fe.bin` `ee9528778c8034c57b31b70b7614999c859244f251bdf2c15473558c7bcb26af`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1078FE	38912 bytes
`stream_040_off0010baa3.bin` `34f73432f2f556664b35b49a08196f8ca6d539269a59d14f96d7e4b923b67b5c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x10BAA3	39424 bytes
`stream_041_off0010fcbd.bin` `e884496564c3d0217e728da55e48edee5ca0696c62c23410f8441f49292e0e83`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x10FCBD	37888 bytes
`stream_042_off00113c2b.bin` `8368f0a470dd1de12f2a7377b34596cac29ea826462b746777fbd40eacedd75d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x113C2B	37888 bytes
`stream_043_off00117c53.bin` `86878ea171854cfc372bdf18acc98406b37ae32bb37a1a677ef5dce74385999c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x117C53	38400 bytes
`stream_044_off0011bc77.bin` `38d93406d840e2b5ecad6e08db465b60025dd0f0cdfd67a90476a7f7a645a00a`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x11BC77	37888 bytes
`stream_045_off0011fc91.bin` `f6c6e21a2e3a91a9ec1d0f188ad2e856359adf2b99d381125226e8d637258946`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x11FC91	39936 bytes
`stream_046_off00123ec5.bin` `b3eb83d97960abe9abeba199708182087191bb7ade253ad9ea1c29b52e13394b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x123EC5	38912 bytes
`stream_047_off0012802f.bin` `9db5148c40943c5c334f86572efb32943141a059863b85395dcd1abd5e2dc81f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x12802F	38400 bytes
`font_00_cff_off00003ce7.bin` `171dc0e7fe15c9747b9035df78e9d35fd59fa4e0fe668beb594c61f0ec10ef88`	pdf-font-stream	PDF embedded font (cff) at offset 0x3CE7	3209 bytes
`font_01_cff_off00004a54.bin` `114bf501e79c7dc6ba4078f26a6f35c386fac12ff7fe59758fc97a0ed4cb586a`	pdf-font-stream	PDF embedded font (cff) at offset 0x4A54	1699 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.