Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd5d729ceaad26f6…

MALICIOUS

PDF

177.7 KB Created: 2010-03-12 05:57:43 +08:00
MD5: 1a4bd9b032e7f1e2af151ad9506379e9 SHA-1: aa0589feadd2e1eed592b1ddb8a3aa7641b0f9e7 SHA-256: dd5d729ceaad26f621b8994e93ebbbd0792a3d005a8571bb3ce9fb02bed0947c
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file exhibits characteristics of a phishing lure, including an image-only interface designed to trick users into clicking a hidden malicious link. The presence of embedded JavaScript and an embedded script payload further supports this, indicating an attempt to execute malicious code or redirect the user. While specific JavaScript content was not fully detailed, the overall structure and heuristic firings strongly suggest a phishing attack.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 1 text block(s), carries a click-outward action, and is only 177 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0xFC9 1465 bytes
embedded_file_obj0003.bin
af16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1284 973 bytes
embedded_file_obj0005.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x14D2 2928 bytes
embedded_file_obj0006.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x183F 200 bytes
embedded_file_obj0007.bin
1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x1932 835 bytes
embedded_file_obj0121.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 121 at offset 0x146D6 85 bytes
embedded_file_obj0122.bin
ae87615dd41823179ad70e190adebc5bde94d009e71ee59688ea0180234e555f		 pdf-embedded-file PDF EmbeddedFile object 122 at offset 0x1478B 11882 bytes
embedded_file_obj0123.bin
d21ca335229dd674f45251c3a4138ff4e1ebf624e9d1c678b61c4a2dfa1e0172		 pdf-embedded-file PDF EmbeddedFile object 123 at offset 0x14C60 291 bytes
javascript_obj0092_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 92 at offset 0x323B 1946 bytes
stream_013_off000029cb.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29CB 1532 bytes
stream_014_off00002bb6.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BB6 870 bytes
stream_018_off00003d5e.bin
c29d09c36bd2a54132708e214e140c0f3481c40a9da403180068c56ed1a6278a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D5E 79045 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objstm_0126_00.bin
ba08ce675f5a4edd23a5e7004fab9b39cd9f4a22a78e3315f0f79ca8628e5b98		 pdf-objstm-decoded PDF /ObjStm 126 0 obj (inflated) 1974 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.