Malicious PDF — malware analysis report

Static analysis result for SHA-256 e55652745c921999…

MALICIOUS

PDF

2.83 MB Created: 2011-03-15 09:10:27 +01:00
MD5: be508acd92d843624bea8d8bb89140dd SHA-1: b0b6840dae65a014b90bc15f15dbc77f94b25f90 SHA-256: e55652745c92199930e707d6927cfb1b0c6c15dcf25280cd9b1b1bbcdaacae87
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_EMBEDDED_SCRIPT_PAYLOAD, and PDF_EVAL. The presence of PDF_CCITT_CVE_2010_0188_RELATED suggests exploitation of a known PDF vulnerability. The ML classifier also flagged the PDF as malicious. The embedded script is likely responsible for downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7361

Heuristics 7

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_002d3c82.bin
59fcc1e55883555021d1e283ed60b60fe4b6b33914fcde51aa2fc04591199a4d		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2D3C82 2972079 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
icc_00_off00004413.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4413 3144 bytes
font_00_cff_off00005236.bin
eed32fb6b94420f554c3a8baafbbf15d4bf4d51a76b44af314971e679a63105e		 pdf-font-stream PDF embedded font (cff) at offset 0x5236 6032 bytes
font_01_cff_off00006614.bin
685c217b1a599888ab7f850ddbd59fc08797483b295233ed7cf77b985af81d68		 pdf-font-stream PDF embedded font (cff) at offset 0x6614 5318 bytes
font_02_cff_off000077b5.bin
a26e27a901c468ed3f5a00def425c5b0fde50a67eb687499cfbf048d81bb9745		 pdf-font-stream PDF embedded font (cff) at offset 0x77B5 5034 bytes
font_03_cff_off0000882a.bin
12574d0a81941eb7f6b84616a9054858dcf2461f89357f652c65150f6472995a		 pdf-font-stream PDF embedded font (cff) at offset 0x882A 3709 bytes
font_04_cff_off0005354f.bin
4482f003d39fdd3f8c9e0ebcce0493de8996cf7a1aeaac872cdc81eae879d1ea		 pdf-font-stream PDF embedded font (cff) at offset 0x5354F 117 bytes
font_05_cff_off00070c96.bin
a76d406b6bdb0e9e3163bba2a5256d22c82f35d3578a06670778279fb11320a9		 pdf-font-stream PDF embedded font (cff) at offset 0x70C96 907 bytes
font_06_cff_off0007d298.bin
7552efe645d21a12dc02c71be6a3ec3a3150c4295dd43967ed9de3d27a2948d0		 pdf-font-stream PDF embedded font (cff) at offset 0x7D298 2848 bytes
font_07_cff_off002ca7d2.bin
fa954e14f09d4f3ac3465fa91a5c478a9e02471e7a6f9a94756f8d0ee723e77b		 pdf-font-stream PDF embedded font (cff) at offset 0x2CA7D2 1742 bytes
font_08_cff_off002cb22e.bin
db7daa9f0908b7218c90a3ee4e6d834668bdd34ca85eef7e977e2c77a367c3bf		 pdf-font-stream PDF embedded font (cff) at offset 0x2CB22E 2739 bytes
font_09_cff_off002cbbe5.bin
3cda2523ff711b867c1184d42db9a119deeec736d759f720c73e2ffa4ab80f6b		 pdf-font-stream PDF embedded font (cff) at offset 0x2CBBE5 5536 bytes
font_10_cff_off002cd4e9.bin
d168f3722bdea58c7598cee38b7e323b4a148ab23243644d6c823fcbb025c7a1		 pdf-font-stream PDF embedded font (cff) at offset 0x2CD4E9 244 bytes
font_11_cff_off002cd739.bin
be3aa65c345af5c10aa9cd6dcc26a9c57642f2625757aa1df159b570c31590dd		 pdf-font-stream PDF embedded font (cff) at offset 0x2CD739 5413 bytes
font_12_cff_off002cf2cc.bin
fafde9b332486cf30c9ee2d2b06b177a582f6ff6518459744040fb512e39d616		 pdf-font-stream PDF embedded font (cff) at offset 0x2CF2CC 1831 bytes
font_13_cff_off002d0144.bin
e33a9a78407b709f13283ff0a817130b3523cf370fbd847bab568e4aac336259		 pdf-font-stream PDF embedded font (cff) at offset 0x2D0144 4109 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.