MALICIOUS
236
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
T1204 User Execution
The PDF file contains critical heuristics indicating XFA heap-spraying exploit code and a hidden ZIP payload with executable entries. Additionally, an embedded Windows executable payload was detected. The presence of JavaScript actions and streams, along with the 'SE_LOLBIN_RUN_COMMAND' heuristic, suggests the execution of malicious code. The ZIP archive contains JavaScript files that likely facilitate the execution of the embedded PE payload, leading to a malicious attack pattern.
Heuristics 7
-
XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAYPDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
-
Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOADPDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://search-network-plus.com/load.php?a=a&st=Internet
- http://search-network-plus.com/load.php?a=a&st=Internet%20Explorer%206.0&e=2
- http://192.168.0.1:4444/wipconn
- http://192.168.0.176:2869/upnp/eventing/ubrjophext
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
- http://www.mozilla.org/xbl
- http://www.mozilla.org/MPL/
- http://images.google.com/images?hl=en&q=old+software&aql=&oq=&um=1&ie=UTF-8&sa=N&tab=wi
- http://video.google.com/videosearch?hl=en&q=old+software&aql=&oq=&um=1&ie=UTF-8&sa=N&tab=wv
- http://maps.google.com/maps?hl=en&q=old+software&aql=&oq=&um=1&ie=UTF-8&sa=N&tab=wl
- http://news.google.com/news?hl=en&q=old+software&aql=&oq=&um=1&ie=UTF-8&sa=N&tab=wn
- http://www.google.com/products?hl=en&q=old+software&aql=&oq=&um=1&ie=UTF-8&sa=N&tab=wf
- http://mail.google.com/mail/?hl=en&tab=wm
- http://www.google.com/intl/en/options/
- http://books.google.com/books?hl=en&q=old�i�
- http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xu
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
hidden_pdf_zip_off0002f323.zipa88161cca500891bbbe68116f8fb10286540fd339beb6fdd71042f20f7a7f57b |
pdf-hidden-zip | PDF raw stream ZIP payload at offset 0x2F323 | 3167464 bytes |
embedded_pdf_00245000.exe5718c19fbe6c4b1ee58c3359d2ae6b89c0d80e2a77597fd4cffd4aaa0f0b928f |
embedded-pe | PDF raw stream PE payload at offset 0x245000 | 981003 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.