PDF malware analysis — malicious · dbfded7c7401b812

MALICIOUS

PDF

210.7 KB Created: 2010-02-25 09:23:00 -08:00

MD5: 72bdca7dd12ed04b21dfa60c5c2ab6c4 SHA-1: 24b67087f768566c58adba0b5c65903419354dbe SHA-256: dbfded7c7401b8128f39f8e8834bafe7a11addfa9b4c5a1bb9247243a443a4b1

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and is structured as an image-only document with an action trigger, typical of a phishing lure. The embedded JavaScript is likely responsible for downloading and executing a secondary payload. The presence of multiple embedded files further suggests a multi-stage attack. The benign URLs extracted do not provide further indicators.

Heuristics 7

Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 210 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x1BD7	85 bytes
`embedded_file_obj0002.bin` `52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0x1C89	1465 bytes
`embedded_file_obj0003.bin` `af16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e`	pdf-embedded-file	PDF EmbeddedFile object 3 at offset 0x1F44	973 bytes
`embedded_file_obj0004.bin` `25d743ae4c43415786d92862868b8a50a0d830dea6ed82626a2bf1370faf2509`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x2193	11882 bytes
`embedded_file_obj0005.bin` `226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56`	pdf-embedded-file	PDF EmbeddedFile object 5 at offset 0x2640	2928 bytes
`embedded_file_obj0006.bin` `4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5`	pdf-embedded-file	PDF EmbeddedFile object 6 at offset 0x29AD	200 bytes
`embedded_file_obj0007.bin` `1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x2AA0	835 bytes
`embedded_file_obj0008.bin` `8f96f8652bbe352f96051db71b660e225a5fc0ae5963e496720bd7a5634fd5d2`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0x2C79	291 bytes
`stream_002_off000013b0.bin` `05be3559404a8717e68e6b5884bea90b066cd04a5d42d7ddf2487abda5869e78`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x13B0	2983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.