Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3d7e5ab1763c2f7…

MALICIOUS

PDF

3.48 MB Created: 2013-08-01 12:57:08 +01:00 Authoring application: Adobe InDesign CS3 (5.0.4) (via Adobe PDF Library 8.0)
MD5: 55f0a094d71fe2920290af15ed74d3fe SHA-1: 9b077919a9e3843ebf9266ce173e60217442303c SHA-256: e3d7e5ab1763c2f7771a51a3db1c103fb637e3f794b93b18a11d2751ea6e8343
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Spearphishing Attachment

The primary heuristic identified an advance-fee lottery/parcel scam lure within the document's content. While no scripts were extracted, the PDF structure and embedded URLs suggest a malicious intent to deceive the user. The presence of an embedded JavaScript stream and a high stream count indicates potential obfuscation or exploit delivery mechanisms, though their specific function could not be determined without further analysis.

Heuristics 5

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org)/S/GTS_PDFX/Type/OutputIntent
    • http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://www.npes.org/pdfx/ns/id/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xmp/InDesign/private
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001a428.bin
7f65c98017f35adb8f8c6056a8c6eb47769e36efd79359497b63ba6244e689bc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A428 74688 bytes
stream_012_off0002505f.bin
6ea999c06d918ac8f87c2657659894d866304df2be2e7a5389e942b87fcb1812		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2505F 772171 bytes
font_00_sfnt_off00010e66.bin
1af0dc5b369686a56dc5e281afde594a32fd3e8629ff076488583dec22dc6062		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E66 70188 bytes
font_01_cff_off00163009.bin
a64c336208ee3243d806b1cba7e9ef34e414a657fdf412b1d7b56d4e2cfe7d69		 pdf-font-stream PDF embedded font (cff) at offset 0x163009 1880 bytes
font_02_sfnt_off002b466d.bin
45f19c2c7eea941e25fcb6dcfd78936ca70e90254fc105f859b0fabd188ceb53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B466D 57828 bytes
font_03_sfnt_off002bbae2.bin
152bfdc91bf45411cee0726dc179f14e8278b897fe0c03fe29e729d69f5c20f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BBAE2 71156 bytes
font_04_sfnt_off002c80ad.bin
9499438f2e5c303ec639781af49eb31395ffd1bc22dc7ad5f102542ee8424941		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C80AD 62972 bytes
font_05_sfnt_off002d1813.bin
3037dfba3deaca8c6465c42d0aad4bad35ab659082ab1a80191232963a05a04f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D1813 52420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.