Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecdd2d4c83379927…

MALICIOUS

PDF

65.0 KB Created: 2017-05-25 13:00:45 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 343c4741e04472d1fd49a9957c93854a SHA-1: 3fc065a8e5bbf388665dca1be80bc8e9ffc7c531 SHA-256: ecdd2d4c83379927626838a493a7b08a59d9b3c666d9f33322da6e6fb9ee53da
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript streams and embedded files, including a .docm and an .xlsx file, which are indicative of a downloader or dropper. The ClamAV detection 'Doc.Downloader.Jaff-6329915-0' and the ML classifier strongly suggest malicious intent. The embedded artifacts, particularly 'ZZZS9PVAY.doc', were flagged as a suspicious extracted artifact with VBA auto-execution terms, indicating it likely contains malicious macros to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 8

  • ClamAV: Doc.Downloader.Jaff-6329915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jaff-6329915-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ZZZS9PVAY.zip
903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x8A5 116 bytes
0.docm
f4632ca7e63bdb96ee9d6fb0c4bcb558b69612fff5c8771ff8489d18fb1dfe1d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x9FB 11370 bytes
1.xlsx
95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x2D18 7723 bytes
ZZZS9PVAY_1.txt
c4f6e84df9ce25f5a9c95c3f6d7900d1730c75132f08b1bd3a24a23438346c76		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x4336 214 bytes
ZZZS9PVAY.doc
0244ba9009c94ed79476ebf345962cbe4aabc1b09b105ff0521d3fb7b2b0314d		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x44DE 104960 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6329915-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
javascript_obj0020_000.js
daacf7708513854d8d74f0e7d4490f96cd7a670da759f06486c178bf01a02a81		 pdf-javascript-stream PDF /JS object 20 at offset 0xEEC0 59 bytes
javascript_obj0023_001.js
e7ca93bdf607d018edc02353faa68301deb49efbb70c59b6a2c9edbab6951931		 pdf-javascript-stream PDF /JS object 23 at offset 0xF192 63 bytes
javascript_obj0024_002.js
5e86646d44339bf6b3b82d81abb4bba1343f13eb69793bd53251c933f8870d46		 pdf-javascript-stream PDF /JS object 24 at offset 0xF1FC 54 bytes
javascript_obj0025_003.js
aaaebe23dc992b597affd1440789c272421ef197f861eea01758b7c69c81ce85		 pdf-javascript-stream PDF /JS object 25 at offset 0xF261 41 bytes
javascript_obj0027_005.js
84ec0f9799cfd6d2eedee8a92dddcb8e5ecc6f8601f0a96c8209a756f410c772		 pdf-javascript-stream PDF /JS object 27 at offset 0xF2EE 35 bytes
javascript_obj0028_006.js
ff22fe1dce659447d0db8248c2020ff7718dc499e5e0678ccd09d4c3774dc771		 pdf-javascript-stream PDF /JS object 28 at offset 0xF339 46 bytes
javascript_obj0033_007.js
3c06d2ee278e1031e818b73cbf620836ef812924433573e9f3bd266cf6fc2464		 pdf-javascript-stream PDF /JS object 33 at offset 0xFB86 33 bytes
javascript_obj0021_009.js
51b3e214f38729500ff39139b08d521aaf2bb069e2a66ae2cf6b8e5a437707c7		 pdf-javascript-stream PDF /JS object 21 at offset 0xEF26 1441 bytes
javascript_obj0029_010.js
9fd25580d0d2d09fb6c5678ba340547226c48ae6845785ba0e87496fd5cb17df		 pdf-javascript-stream PDF /JS object 29 at offset 0xF391 648 bytes
javascript_obj0031_011.js
239b8eaa8243fda1336bc5936b98d6cbcf1ebd0d2f69004cc0bc52091ae6ecdb		 pdf-javascript-stream PDF /JS object 31 at offset 0xF506 5530 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.