Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3a68b3db84e6da6…

MALICIOUS

PDF

1021.7 KB Created: 2009-12-23 18:15:05 UTC Authoring application: 377376A000d000o000b000e000 000D000e000s000i000g000n000e000r000 0007000.0000000(000I000n000f000i000x000)000 (via Adobe Designer 7.0)
MD5: 05268db1102578b7d987eb3d40ce6f43 SHA-1: c92e2aedc49604594e4eef2bc21e2a4aa0b6e02e SHA-256: e3a68b3db84e6da654ee524e255047f0fbc5d08d4735c8fbf546fcb91b1ac49d
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript is likely designed to exploit vulnerabilities within the PDF reader to download and execute a malicious payload. The presence of a URL shortener (http://tinyurl.com/y9yqlb5) and a signup URL (http://mail.google.com/mail/signup) suggests a lure or redirection mechanism. The SE_DOWNLOAD_BUTTON heuristic further supports the idea that the document is designed to trick the user into initiating a download.

Heuristics 9

  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://mail.google.com/mail/signup
    • http://www.mozilla.com/firefox/
    • https://addons.mozilla.org/en-US/firefox/addon/4925
    • http://tinyurl.com/y9yqlb5

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0105.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 105 at offset 0xFAD38 85 bytes
embedded_file_obj0106.bin
56bab83980c4e8f585467452f5892d55ed0141938eb70b60dcd9dd2c2afe5ba9		 pdf-embedded-file PDF EmbeddedFile object 106 at offset 0xFADF2 1372 bytes
embedded_file_obj0107.bin
1a06ce4688724594a77a30739ee7283779808016aa9a98c0fe7a074018a8d393		 pdf-embedded-file PDF EmbeddedFile object 107 at offset 0xFB0A2 16807 bytes
embedded_file_obj0108.bin
e45851fdfd997f7b3eae0f62d6f4820fe7801f3abb9b20f7bb34e90c22f8e732		 pdf-embedded-file PDF EmbeddedFile object 108 at offset 0xFBF20 142 bytes
embedded_file_obj0109.bin
741052c3995a9f57d86527bd28a01ef573bea600c8710813c7c30b436eadcb8d		 pdf-embedded-file PDF EmbeddedFile object 109 at offset 0xFBFEE 2269 bytes
javascript_obj0097_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 97 at offset 0xFA586 870 bytes
javascript_obj0099_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 99 at offset 0xFA714 2794 bytes
javascript_obj0101_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 101 at offset 0xFAA0E 1528 bytes
stream_004_off000148aa.bin
abcf9158e51e8518f8e66c75a7e5d27e019becf9fd18c90881f656da5e02fa26		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x148AA 1112520 bytes
stream_005_off0003dcf2.bin
09ba6ddba90d54939da45f96609fd02903d5a38a6107f880a8c51adaba98518d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3DCF2 806598 bytes
stream_006_off000556e5.bin
67f5243bdc7d5ac11ba4150346e36e4f866e2ea3ad887753b7c73c0362e40c9f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x556E5 919680 bytes
font_00_cff_off00009518.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x9518 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.