Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea404440145b3539…

MALICIOUS

PDF

223.6 KB
MD5: 23ac33d02402c9dc47d18fedad213286 SHA-1: 97f572653d309051698b3fcbc48b69e2938dddea SHA-256: ea404440145b353979236fda034102f8a18904ff5535d9fda7b272c402cf00a5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and exhibits characteristics indicative of an exploit targeting CCITTFaxDecode and XFA, as suggested by the 'PDF_CCITT_CVE_2010_0188_RELATED' heuristic. The embedded JavaScript is likely responsible for executing malicious actions, potentially downloading and running a second-stage payload. The presence of multiple embedded PDF structures and ClamAV's detection of 'Heuristics.PDF.ObfuscatedNameObject' further support its malicious nature.

Heuristics 6

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
8693bc5f6481ecab86832c853b54a5ae110306f474ba543a0accc706d54efc6c		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
stream_041_off0002f5a3.bin
dafa1626d65255f7c2ff294729e457327932ac1a461dc849daa54a6ccb675bc5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F5A3 20160 bytes
font_00_cff_off0000da26.bin
7218ffb8a40dfa760c08502356e5f14e470871ed41edc8973f6615a93695e4d0		 pdf-font-stream PDF embedded font (cff) at offset 0xDA26 11719 bytes
font_01_cff_off0001001e.bin
b5bd3399be7deab9be626b32a659c73b6fcb99233f8b02d1a190a4a5fd4f7d1e		 pdf-font-stream PDF embedded font (cff) at offset 0x1001E 5182 bytes
font_02_cff_off00011200.bin
a345bbd15558444933f3a7037dbea4f4ca9c0344833e2b24a7821354e07ee8f5		 pdf-font-stream PDF embedded font (cff) at offset 0x11200 7357 bytes
font_03_cff_off00012a8e.bin
d36c821327e5139a76a8fcad53ac0708f90670f66b5e4fa1915b233a45a86c70		 pdf-font-stream PDF embedded font (cff) at offset 0x12A8E 26806 bytes
font_04_cff_off00018a7d.bin
a8abd67ad639b43d36dcc9c648bc545e0f0d7a51f33ee093ff8b03a17e550ec5		 pdf-font-stream PDF embedded font (cff) at offset 0x18A7D 2265 bytes
font_05_cff_off0001942c.bin
1914e643224bef58ea40899d568bee9046435ed189df368cc2b234a6159c83fa		 pdf-font-stream PDF embedded font (cff) at offset 0x1942C 992 bytes
font_06_cff_off000198ae.bin
b9afdf212f6bc485d75e0a7ba30c73e0d4ddb69191b3966e163f16be40dd6df9		 pdf-font-stream PDF embedded font (cff) at offset 0x198AE 3878 bytes
polyglot_child_pdf_off0000acdc.pdf
7b48d79607bce9df7cfe9c14d7fa71cad1ebabea3478ddda1d86349099ab75ab		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xACDC 184729 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.