Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed6c7d1a1495ffe4…

MALICIOUS

PDF

989.7 KB Created: 2009-12-05 10:35:51 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: d7a3cc0972c525d8dd9ae0975373a3fb SHA-1: 3068891443556fb25db89c0ade3b3384cd282e98 SHA-256: ed6c7d1a1495ffe4fc09ef25f6b4785293901815f90a14c145334cf17bc01292
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and an embedded PDF, as indicated by the PDF_JAVASCRIPT, PDF_JS, and PDF_EMBEDDED_CHILD_STATIC_TRIAGE heuristics. The ML classifier also flagged this PDF as malicious with a high probability. The embedded JavaScript and PDF are likely used to download and execute a second-stage payload. The specific nature of the payload cannot be determined from the available evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9662

Heuristics 5

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
10.5.pdf
811fccb3c635492b7ca3f233387f22f108824530b0765638e1749c7a89cda818		 pdf-embedded-file PDF EmbeddedFile object 230 at offset 0xEABAB 6360 bytes
javascript_obj0245_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 245 at offset 0x579 1946 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.