Malicious PDF — malware analysis report

Static analysis result for SHA-256 e20a60db22c4480a…

MALICIOUS

PDF

181.2 KB Created: 2010-05-18 02:44:35 +08:00
MD5: 96e88e94519656d196c0ecdc7f8ef64e SHA-1: 6374797c85d3058797af447860a1d3b195d4be9b SHA-256: e20a60db22c4480a5234a3bbb1dff10f775daab17837f5c6945140008b4d0c27
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

This PDF file exhibits multiple indicators of malicious activity, including embedded files, JavaScript, and RichMedia (Flash) content. The presence of 'SnowDisplay.swf' as an extracted artifact strongly suggests the document is designed to deliver or execute a Flash-based exploit or payload. The embedded JavaScript further supports this, likely used to trigger the exploit or download additional malicious content. The benign reputation of the URLs does not detract from the malicious nature indicated by the embedded objects and heuristics.

Heuristics 7

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0049.bin
89d4e3117ae2ff7ed2505b8ec12d6e0c11ae98e5825a09b8d952f850f6f7fcf9		 pdf-embedded-file PDF EmbeddedFile object 49 at offset 0xE022 1560 bytes
embedded_file_obj0050.bin
d80006a945db7f9d6492ea0c8e1d51c45699b8af1359070585109a3a0d6af9e9		 pdf-embedded-file PDF EmbeddedFile object 50 at offset 0xE309 5164 bytes
embedded_file_obj0052.bin
ddb337c1574afffe4e7d1907cc78681e2ac0edf7145a7b1bc8fd896b4e4be9e5		 pdf-embedded-file PDF EmbeddedFile object 52 at offset 0xEB67 2860 bytes
embedded_file_obj0053.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 53 at offset 0xEEBD 200 bytes
embedded_file_obj0054.bin
fcfa5d840723a70c580703ad7100bb254bef11c51f7f121657362691e2198472		 pdf-embedded-file PDF EmbeddedFile object 54 at offset 0xEFB1 835 bytes
SnowDisplay.swf
b8162b84acd4e45cd57b4d1d9938445a732935b25498d1806a9d5653e242ceee		 pdf-embedded-file PDF EmbeddedFile object 135 at offset 0x186ED 79980 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
embedded_file_obj0144.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 144 at offset 0x2CB7B 85 bytes
embedded_file_obj0145.bin
bdc730827949ff085e6c06182c3c9cb75f49736cc91e34091408a30efd338bb8		 pdf-embedded-file PDF EmbeddedFile object 145 at offset 0x2CC30 11882 bytes
embedded_file_obj0146.bin
2fcf50e16f4d0d38b64fc560853e47af5b49aff48d2d6b8366483d769af031cb		 pdf-embedded-file PDF EmbeddedFile object 146 at offset 0x2D0C4 697 bytes
stream_045_off0000ffa0.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFFA0 1532 bytes
stream_046_off0001018c.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1018C 870 bytes
stream_052_off0002c7fe.bin
a930848340b561d98d53299cb7adfad76ab300e17a688ce4d56cb7f09082f33e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C7FE 1030 bytes
objstm_0148_00.bin
23488685d57fbbc98ff7d7603dcc8ed166eba1a953c83e49582716aeee7d262b		 pdf-objstm-decoded PDF /ObjStm 148 0 obj (inflated) 2141 bytes
objstm_0169_00.bin
1e5d0a35c3eab5d0a39ec44d84adffde16689519988ae7812f6fd34796d192a6		 pdf-objstm-decoded PDF /ObjStm 169 0 obj (inflated) 443 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.