Malicious PDF — malware analysis report

Static analysis result for SHA-256 f19714efae9e902a…

MALICIOUS

PDF

450.4 KB
MD5: f01bd2ebc9a829c28d1bbe608d123ec1 SHA-1: c7d03c34f94219d3f03e34eaf050a8e91fddb25a SHA-256: f19714efae9e902af43a819e1adeec898b4ed90311aa2aafa56c345934892d7a
70 Risk Score

Malware Insights

MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass T1204.002 Malicious File

The PDF contains multiple embedded PDF files, as indicated by the PDF_EMBEDDED and PDF_EMBEDDED_CHILD_STATIC_TRIAGE heuristics. The presence of embedded files suggests a multi-stage attack or a dropper mechanism. The embedded files themselves have suspicious static findings, further increasing the likelihood of malicious intent. No specific document body content was available for analysis, so the rationale is based on the structural findings.

Machine Learning

  • Nyx PDF Classifier clean score 0.0876

Heuristics 4

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
tool___r11---delay--3---nest--5-only-text-long-doc.pdf
2f6daf5dfa7230ed8bfbdbd8af0a54d7ccb8ce0e983d9d39df802afbaafffcae		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA50 115262 bytes
tool___r11---delay--3---nest--5-only-text-long-doc_1.pdf
0207c6f8410798f89d446c867815bb226f37bf0c1c4688bf67fb9dd56b694e0b		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA51 201631 bytes
tool___r11---delay--3---nest--5-only-text-long-doc_2.pdf
a4a4fa0a62b4b80869b26ad41be286f2c806a35e6405d22335cfca4648fddd6f		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA51 288155 bytes
tool___r11---delay--3---nest--5-only-text-long-doc_3.pdf
fbf4c034675c5f012dea96767dc694e1437ccd6451ef35d9d32ccb88c7ecd0d0		 pdf-embedded-file PDF EmbeddedFile object 244 at offset 0x1AA51 374719 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.