Donoff — PDF malware analysis

Static analysis result for SHA-256 e4426738a8ed366f…

MALICIOUS

PDF

58.0 KB Created: 2017-04-21 13:24:55 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: fe90a667c0c427c3dd8425357141a185 SHA-1: edf9adaa11fbc9071f7cf6c3225e32bdb3d8e7e6 SHA-256: e4426738a8ed366f2773aa3ac9374dae6f3ad41759dd3227a8d025fac2af9b49
174 Risk Score

Malware Insights

Donoff · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file was identified as malicious by ClamAV with the signature Doc.Downloader.Donoff-10030369-0, and ML classifiers also flagged it with high confidence. Heuristics indicate the presence of embedded JavaScript and an embedded file, suggesting the PDF is designed to download and execute a second-stage payload. The document body was unreadable, but the combination of heuristics and ClamAV detection strongly points to a downloader functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
825941.docm
2665260758371f88ca4e49dd577e885fc138651a0e2b3564309b892eea36f7af		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x61 70800 bytes
Detection
ClamAV: Doc.Downloader.Donoff-10030369-0
Obfuscation or payload: unlikely
javascript_obj0005_000.js
cf0a9c738d1ff48a6951e6f652ec6e5e9cfd41704454e8a20532f9b92dcaa0e8		 pdf-javascript-stream PDF /JS object 5 at offset 0xE239 387 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.