Malicious PDF — malware analysis report

Static analysis result for SHA-256 de59f0a2e43b2222…

MALICIOUS

PDF

140.8 KB Created: 2016-04-30 15:18:05 +01:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.0)
MD5: de05da49adaa50445bfa8eff5f6d102d SHA-1: 0b4e28e10993aa78470cc349eec98b8a4ef28518 SHA-256: de59f0a2e43b2222b784a4599cebb5674720ba967a2387497dd0188f9202cc99
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file exhibits multiple indicators of malicious activity, including the presence of JavaScript actions and an embedded file. The ML classifier strongly flags this PDF as malicious, correlating with the detected JavaScript. The primary URL associated with the embedded content is highly suspicious. The combination of these factors suggests the document is designed to deliver a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9925

Heuristics 6

  • Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS
    PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ydray.com/get/f/WVQyNDIxMD11564239MDAy/vKmPMTE1NjQy639TZ/310092/9d3880936e7fc59909e6c63f6c87825d)/S/URI
    • https://ydray.com/get/f/rPZ2NTg1OTA11619425TA4/AMMTE2MTk0998cZ/312146/44a5cf2ff1c3ad7f9866b8d69100f47b)/S/URI
    • https://ydray.com/get/f/AVn0OTUy11620939UyNzUy/EwMTE2MjA5913la/312188/fcc4c5a5771db122e84e7632133e8c92)/S/URI
    • https://ydray.com/get/f/sBf2MTg11621697Tg5MTgw/tUiMTE2MjE2723VP/312210/8a064fff5c72b076df5d9b4320c264c9)/S/URI
    • https://ydray.com/get/l/GgH2NDQzM11867178zMjQy/jCtWMTE4Njcx366Is)/S/URI
    • https://ydray.com/get/l/hpH1NzQ0NTgz11902096gz/ZtmzMTE5MDIw589CR)/S/URI
    • https://ydray.com/get/l/OKy2MTQ4Mjkz11902680kz/jPLzMTE5MDI2949ZE)/S/URI
    • https://ydray.com/get/l/FrkyOTE5NTk51193796k5/fGMTE5Mzc5147ei)/S/URI
    • https://ydray.com/get/l/GNf1Mzc4NTM1193805TM3/PqMTE5Mzgw939Vi)/S/URI
    • https://ydray.com/get/l/kZK3ODA5NDA11938130DA5/OFMTE5Mzgx29iB)/S/URI
    • https://ydray.com/get/l/zOvzOTgxMzQ41193824Q4/oEMTE5Mzgy277po)/S/URI
    • https://ydray.com/get/l/EomyMjU2NT11938338NTkx/XSLMTE5Mzgz964Up)/S/URI
    • https://ydray.com/get/l/SLv5MDU0OTg11939276Tg5/TPEWMTE5Mzky386wl)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Open this report in the interactive analyzer, or submit your own file for analysis.