Malicious PDF — malware analysis report

Static analysis result for SHA-256 f67773a341ab2c25…

MALICIOUS

PDF

566.4 KB Created: 2010-03-11 13:08:00 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0 (Windows))
MD5: 9dcd44f44d53b0ed8fa8220539aad374 SHA-1: 359cceb943ad361d3ad1a34db2ad0e6480268bf1 SHA-256: f67773a341ab2c252525f093c544e323e10d25798e1d9df7eb22b55cd9e47971
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and an embedded PDF file, which are common techniques for delivering malicious content. The embedded JavaScript stream and the embedded PDF child with suspicious static findings indicate an attempt to execute code or exploit vulnerabilities. The presence of an unknown URL associated with XFA forms warrants further investigation.

Heuristics 6

  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000021e1.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x21E1 3144 bytes
font_00_sfnt_off0000472d.bin
f6d0b6ff4af9c18a0840d931766e72e9d509bec881d623f290d6adbb30288735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x472D 25919 bytes
font_01_sfnt_off00007dd0.bin
a6e5a3e32a5f55bad8416b17db6a9e1784ad79efa0ec6f1100294b45df89af75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DD0 24068 bytes
DD-102730.pdf
53cfd2dce5bff8ee5d03ac3197ecb2f8ef69a6e87b9d2cbcc058aa503cbae1ce		 pdf-embedded-file PDF EmbeddedFile object 22 at offset 0x5FA3 72127 bytes
windwall.pdf
1942197ea7edb7941b72e245534cf041cdc9e33254ec906e697dfe4256eefb0d		 pdf-embedded-file PDF EmbeddedFile object 61 at offset 0x3D7C9 38344 bytes
javascript_obj0026_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 26 at offset 0x36D88 1946 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.