Malicious PDF — malware analysis report

Static analysis result for SHA-256 e37e236f576e2ac7…

MALICIOUS

PDF

13.52 MB
MD5: 4d990e3610fd42b02fa27af045f0c73d SHA-1: 241d103ad17519b9711439290cb7d27bb8672235 SHA-256: e37e236f576e2ac7b770238e7c7adcf9e33e7a606c0374550748eda7f19e151c
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1204.002 Malicious File Execution: User Execution T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a lure suggesting the user needs to install a browser extension or update to view content. Embedded JavaScript streams were found, indicating a potential for malicious code execution. While the specific script payload is obfuscated, the presence of embedded streams and the social engineering lure strongly suggest an attempt to deliver a malicious payload, likely a browser extension or similar, to compromise the user's system. The URL http://www.wiley.com was found but is benign.

Heuristics 8

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_134_off000d8cdb.js
eace19f9e73b4eef325de5347bbf8882b0c3c551a6ab5d371925a1eb3fa90c4c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD8CDB 17573 bytes
stream_144_off000eb079.js
c943781fa4844aecf4d6a83003cc2bd80059606e382526ae223d041437bdb67e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEB079 18473 bytes
stream_162_off00137807.js
ac9fc2c5486759580805525d77bbc49d06538f7007544d0ab45d0961dd6f433d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x137807 5868 bytes
stream_176_off00141def.js
031f015ce2d6307b68a4492fee601df4720b4f7faee22b45cd4b2cb07476d1a0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x141DEF 15603 bytes
font_00_cff_off00147859.bin
8c2f46d9cf5ab98f1f04780a0edc37268deac5f1123ffa86c76ee01861b74c46		 pdf-font-stream PDF embedded font (cff) at offset 0x147859 535 bytes
font_01_cff_off001647cb.bin
46595ed6b7f2b258d74925ed1f8f049346a2c5b854c37f4baffb0ec6e627219c		 pdf-font-stream PDF embedded font (cff) at offset 0x1647CB 238 bytes
font_02_cff_off006756ce.bin
8f9436abc81084d2a8ac2e155a064eabd39ebc2e287aca05dde900377d7d1128		 pdf-font-stream PDF embedded font (cff) at offset 0x6756CE 852 bytes
font_03_cff_off00a26ba1.bin
d7acd6771cffe1ab0f48cd14968165a5405e6c6471408a2376ec0c8c128abcfa		 pdf-font-stream PDF embedded font (cff) at offset 0xA26BA1 406 bytes
font_04_cff_off00d5a51b.bin
7e7d4695b6dbf560a97c25965591506d85c8eee7c7850916a2db9671f06a62fa		 pdf-font-stream PDF embedded font (cff) at offset 0xD5A51B 2466 bytes
font_05_cff_off00d5bf66.bin
a176588d70024f29929fdbed141030a5540aa15b54b837df4c37d01b8d9aa1d8		 pdf-font-stream PDF embedded font (cff) at offset 0xD5BF66 12456 bytes
font_06_cff_off00d5e576.bin
ba2157aa394f9ff99da4e5071c4c42c2f2eeaf7f464cde21ab1ab0e76b604970		 pdf-font-stream PDF embedded font (cff) at offset 0xD5E576 9976 bytes
font_07_cff_off00d60c02.bin
0b795dc3c6977a325e81b4b896d04ec34d878a9a11e8d9a182fcb1d2d781a20a		 pdf-font-stream PDF embedded font (cff) at offset 0xD60C02 8656 bytes
font_08_cff_off00d6280b.bin
27dad960f77106bcee9af2bef41891a515c0d1142d3a932542dbf54543737776		 pdf-font-stream PDF embedded font (cff) at offset 0xD6280B 8932 bytes
font_09_cff_off00d643dd.bin
f14e7efd893d3de11fb13e5b717f105ecc917c177d884263cb321d7adfd545c4		 pdf-font-stream PDF embedded font (cff) at offset 0xD643DD 8859 bytes
font_10_cff_off00d66555.bin
4055dc005cbddc8b1ab4cf99b75af75cead28ca99979f5e315207ee618a422e3		 pdf-font-stream PDF embedded font (cff) at offset 0xD66555 357 bytes
font_11_cff_off00d66814.bin
cee6d5bc907ab6f1a2375bb7bdbb88a2cbecad664aa5e40a9fcdbf2b701ba480		 pdf-font-stream PDF embedded font (cff) at offset 0xD66814 1572 bytes
font_12_cff_off00d66fae.bin
164a115d48afe28fcb2f805011f3845ab6a6d004fdc824dd032894c8a4e6bcd2		 pdf-font-stream PDF embedded font (cff) at offset 0xD66FAE 1348 bytes
font_13_cff_off00d6768e.bin
c9bc53879aca34093de6215f799507dadfa1a1f6285a207235d0c9d8fb5f180d		 pdf-font-stream PDF embedded font (cff) at offset 0xD6768E 10607 bytes
font_14_cff_off00d69d87.bin
a4dcdedf3b638b52b71aa855e5488f81796846a64f5d92f0e9e324b341ece398		 pdf-font-stream PDF embedded font (cff) at offset 0xD69D87 9139 bytes
font_15_cff_off00d6bc5e.bin
def775362684f0a22821c2895e66e51871a6931a36bf2fd339780d988891545c		 pdf-font-stream PDF embedded font (cff) at offset 0xD6BC5E 5838 bytes
font_16_cff_off00d6d0e8.bin
fdbb18c1ba852611a64c98fbfca4b3be2ef742ed1b34694be32a75de7eff68d9		 pdf-font-stream PDF embedded font (cff) at offset 0xD6D0E8 4409 bytes
font_17_cff_off00d6e1a6.bin
f1f4f11771f0eee750e43aabda1633c8082824645bfd7af854668d46f8e4b52d		 pdf-font-stream PDF embedded font (cff) at offset 0xD6E1A6 8382 bytes
font_18_cff_off00d70164.bin
2a2c284a0b85e1ed59af523caf6d08eb9d0c84ac61972dff291c9a418fb55fcc		 pdf-font-stream PDF embedded font (cff) at offset 0xD70164 1842 bytes
font_19_cff_off00d709f4.bin
f2db4ffb15d1f0a74a5631d8562801f1962d9c6b8399d96fd3a9f979efd53a0a		 pdf-font-stream PDF embedded font (cff) at offset 0xD709F4 6691 bytes
font_20_cff_off00d72144.bin
95c40302630b5e9d4414b263e5ea6681a46a01c71d262cac622c81c0a5221b44		 pdf-font-stream PDF embedded font (cff) at offset 0xD72144 2771 bytes
font_21_cff_off00d72bfb.bin
8d6b6b4349fbb8e718d5377c5200bbf0807e4c810ad4a36143bc2b0362c933ff		 pdf-font-stream PDF embedded font (cff) at offset 0xD72BFB 1686 bytes
font_22_cff_off00d73205.bin
8e59fa043ed5f3c2fd8c29e78f7bb01be9967e94234c14aa27b7d38e427278ee		 pdf-font-stream PDF embedded font (cff) at offset 0xD73205 6232 bytes
font_23_cff_off00d74a47.bin
9de2c8aad7bcae32895358f09d1f06df9578c7d6a3483bb147578945219c138b		 pdf-font-stream PDF embedded font (cff) at offset 0xD74A47 2700 bytes
font_24_cff_off00d76add.bin
4b2013418ebd2f516554b754461bd6cf45b28953a12a3c423f17e40ac67d7998		 pdf-font-stream PDF embedded font (cff) at offset 0xD76ADD 305 bytes
font_25_cff_off00d76dc8.bin
d94ae9ca7f06be16c75ef4aec7ac32b914e6eb4ba7c5ccd0f9c3153883d2a40f		 pdf-font-stream PDF embedded font (cff) at offset 0xD76DC8 2974 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.