Malicious PDF — malware analysis report

Static analysis result for SHA-256 e895f6be9e8bdd63…

MALICIOUS

PDF

3.87 MB Created: 2009-11-16 10:40:57 +08:00 Authoring application: Adobe Acrobat 8.0 Combine Files (via Adobe Acrobat 8.0)
MD5: a919f0b96b6180027c4ff2c7e7cf11a7 SHA-1: e4646ee71d1fe167b3c6efeee5602dbbf217b857 SHA-256: e895f6be9e8bdd633169da162073b3b973eb7ec33c2252de5ca1f9426b471895
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1553.005 Mark-of-the-Web Bypass T1105 Ingress Tool Transfer

The PDF contains embedded JavaScript and multiple embedded PDF files, indicating a multi-stage attack. The presence of PDF_JAVASCRIPT and PDF_EMBEDDED_CHILD_STATIC_TRIAGE heuristics strongly suggests the file is designed to execute malicious code and potentially download additional payloads. The external URI http://www.opencloner.com/ is noted, though its reputation is benign. The embedded child PDFs also show suspicious static findings, further supporting a malicious intent.

Heuristics 6

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 27

Files carved from inside the sample during analysis.

FilenameKindSourceSize
1.pdf
868da2e3606d4e46171959dfa0204f2cc6576c7daca4c9f46e51a6842635c248		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x1F496 113683 bytes
21.pdf
52dd09cb3ea5ba22ba2257e7e53d106df277433bcf85302362db1446bf87abe0		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x6DC6E 67379 bytes
22.pdf
464b90a5c79285962c11601e65a27d7e3cccbc20e65c7434a12b59490da29709		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x7A8CE 119369 bytes
23.pdf
7cb577c7d209868d9416077aedf8ab814bc555eb4ab0cdefa85e6131a34d7b00		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x91774 109264 bytes
31.pdf
12ad5a99985baaef17940d1777a9d22b8168304c94ad79d3c4f2cf5d9c92604d		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0xB4441 128191 bytes
32.pdf
7d82b319f58118af2e86ad9979f0e50f3f61b481fc0f63427c10f4bd9cde8851		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0xCF0A3 126041 bytes
33.pdf
c6a3217a60858fead3448b9d47ff76d6e36fa397ab68e233b6e51f26c3944589		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xE9553 221609 bytes
34.pdf
e78b481788f98a0ae8941bfc4aaf9004baf39fb34b0f612eaea75d4aa5af06b8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x119042 206978 bytes
411.pdf
aba17d8cdbb1f673a1c1ebed2a4af2a07d5d42e87ebc9687bb58190b7fa356c6		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x143C40 160837 bytes
412.pdf
9664d4ac87f9cc50ee277d67e0df4d7a866c3f574f4696c167652a5f01e1e3fc		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x1654AB 165174 bytes
421.pdf
98f0626451cb6514cb6cb0185ed0cea44b96c6e764626f630e25faa05073d8ff		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x187B32 432682 bytes
422.pdf
d1e385ed5c19c4c0e7a569e785a9ca5d4639102c6e501e6b6f5f99a8905c8717		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x1E68AA 393906 bytes
423.pdf
8f265456cbd3ddbe34bd5bbed0893aa67a291d2bab6cfc823f7aa9a88b3e6ed9		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x23C723 405488 bytes
424.pdf
5fe2ad10cc7ab056abcf08fe0fc67a6d5810cb4879e52fcdd0e16607418ddb27		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x2946C1 197714 bytes
43.pdf
e82007a16a07654016d4cf98da437a540bb5933ca6fd7c20dde6b387bbd3efde		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x2BEE8E 208472 bytes
44.pdf
25dc8a3173766a35ec2664afd5d00b27c6d87c835dc6570e1e03509839331941		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x2E63BC 67273 bytes
51.pdf
3a6f92c38e0eb83d28f14478eecf88793c6a8e21ae35a6de7890eee7673061a0		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x2F2F5C 85735 bytes
52.pdf
4625c8f122a7e707ec23f61050855f15f0159ce484e04a1f3a413f67949125a4		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x303A34 97194 bytes
53.pdf
22098c695baa5fd9e57a27ad96743fbf596b2ce6a38fc8f13ebb02d6d322f3bf		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x315E79 135952 bytes
61.pdf
c70bb8e8456ccff9aec6af12fe7017cb3518160ca03ac6936ee1f9989c5fd007		 pdf-embedded-file PDF EmbeddedFile object 21 at offset 0x3307FC 101172 bytes
62.pdf
6a7195f8c30f765050a60a6c4941a0a4209c7f69062e4db593d1702503190f82		 pdf-embedded-file PDF EmbeddedFile object 22 at offset 0x344928 192406 bytes
71.pdf
85fdcf328da9177d8cf1e4cdd2ef6b68578cbca6ab45152cbfda3cbffd9e80c0		 pdf-embedded-file PDF EmbeddedFile object 23 at offset 0x360E79 69297 bytes
72.pdf
3995c1fa60f4ca544c495d2cff6ab475cccaabf35ff61a721de79ccf55effbe3		 pdf-embedded-file PDF EmbeddedFile object 24 at offset 0x36DC8A 162528 bytes
73.pdf
1765297a2da27de132da1fc030963dec11de5239e74332e285c1e71d641f819f		 pdf-embedded-file PDF EmbeddedFile object 25 at offset 0x38CC09 79557 bytes
74.pdf
486b66f8a1d0c6db791c48955d9f99fbab26e4d73ace19a7655e7d14f420ebae		 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x39A877 312663 bytes
javascript_obj0100_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 100 at offset 0x632 1946 bytes
icc_00_off0001e720.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1E720 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.