Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2e3fef0b8cd9871…

MALICIOUS

PDF

48.9 KB First seen: 2015-09-17
MD5: 17de557efb365a35c6c09a7f61a7db30 SHA-1: b2f90d768ae357c9b10ea6c9c77012fdadc40842 SHA-256: e2e3fef0b8cd9871fc526e8f53cbaddfcc23cf6b50dbc6afb5bcb594104ddcb2
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript

The PDF sample contains embedded JavaScript and utilizes XFA forms, both of which are common vectors for exploiting PDF reader vulnerabilities. The ML classifier strongly indicates malicious intent. While the specific payload or exploit is not discernible from the provided evidence, the presence of these elements suggests an attempt to execute malicious code upon opening the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9064

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00001a32.bin pdf-font-stream PDF embedded font (cff) at offset 0x1A32 1138 bytes
SHA-256: ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5
font_01_sfnt_off00002241.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2241 65932 bytes
SHA-256: 1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.