Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7676a40df339b94…

MALICIOUS

PDF

2.11 MB Created: 2002-12-12 17:48:20 -07:00 Authoring application: Adobe Illustrator 10.0 (via Adobe PDF library 5.00)
MD5: 32faa35102a6d56a86260b5535ba14d6 SHA-1: c15d1e819dcfe81c9e6184f8ae30eeb1d750842c SHA-256: e7676a40df339b9400851185b086fa2559b034001531103498cb36d9344f943b
170 Risk Score

Malware Insights

MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass T1204.002 Malicious File T1027 Obfuscated Files or Information

The PDF file contains a critical heuristic firing for an embedded Windows executable payload and a hidden ZIP archive containing an executable. The PDF_EVAL heuristic suggests obfuscated JavaScript or similar code is used to trigger the exploit. The embedded executable is the primary payload, likely intended to be run by the user. The embedded URL is suspicious and may be related to the delivery or command and control infrastructure.

Heuristics 6

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://www.mozilla.org/MPL/
    • http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
    • http://netscape.com/rdf-cert#
    • http://home.netscape.com/NC-rdf#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
hidden_pdf_zip_off00072c22.zip
0fb5151d53f91c8a7c05dc826efe395667434ca409c0e5c0686afb305eae9be3		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x72C22 501123 bytes
embedded_pdf_0002a000.exe
97484505ba752c848626c303c94ffa07577ba10d3694d28a05878fe90186d83b		 embedded-pe PDF raw stream PE payload at offset 0x2A000 799141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.