Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef1744863372152e…

MALICIOUS

PDF

164.7 KB Created: 2008-08-04 16:25:00 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 145716df691d8b3d33f7d632f1d491f8 SHA-1: 53622e93a748d066b0bee724cef476e623f1c14d SHA-256: ef1744863372152e8f15aef3aec47c582b767b2533f8dd9f4982b278099768d5
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A secondary embedded PDF was also found with suspicious static findings, including external URIs. The ClamAV detection for 'Heuristics.PDF.ObfuscatedNameObject' further confirms its malicious nature. The embedded JavaScript is likely responsible for executing malicious code, potentially downloading additional payloads from the identified external URI.

Heuristics 6

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://navy.mnd.gov.tw/)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
8693bc5f6481ecab86832c853b54a5ae110306f474ba543a0accc706d54efc6c		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
icc_00_off0000cd05.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xCD05 3144 bytes
font_00_sfnt_off00019451.bin
12004231c9adcdac12c1ffbd45cc40c22c16dc7795967dffd8e3db954281b5bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19451 221148 bytes
polyglot_child_pdf_off0000acd4.pdf
d7309f4b91483bdac040e393060b19dd87daa789822ece0b2d516ea8ba6e42f1		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xACD4 124399 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.