Malicious PDF — malware analysis report

Static analysis result for SHA-256 f346dbdbf48725bc…

MALICIOUS

PDF

48.6 KB Created: 2010-08-05 08:46:42 +08:00
MD5: 01bb63472bb1063e64702647b33d6a8d SHA-1: debd017e9d4f92f442007483e8424f326f0c164c SHA-256: f346dbdbf48725bcd19abd5c9eca83d3fd08e7748c66e320a486cf14f738f603
84 Risk Score

Malware Insights

MITRE ATT&CK
T1555 Credentials from Password Stores T1059 Command and Scripting Interpreter T1140 Deobfuscate or Obfuscate Malicious Code

The PDF file contains a critical heuristic firing indicating a hidden ZIP payload with an executable named 'Verify patch.exe'. This strongly suggests the document is a malicious container designed to deliver malware. The presence of JavaScript actions and embedded files further supports the malicious intent, likely for executing the payload. The benign URLs are standard PDF namespaces and do not indicate malicious activity.

Heuristics 5

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00000f92.bin
08a43d4ddf8aa8a1dd9ae7b6108300695844945d45e8530c267c383b7c06decb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF92 41118 bytes
hidden_pdf_zip_off00000f99.zip
d32c1b1825926ff4c27d496823d533228d5dd9598d7a035f408ffd5d7f2a590e		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0xF99 41220 bytes
objstm_0032_00.bin
c35692362591551e119825bc8348b59138f6cd7f271d0538c4c1cdf4a43a15b5		 pdf-objstm-decoded PDF /ObjStm 32 0 obj (inflated) 3388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.