Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7bc4b1f15591c6b…

MALICIOUS

PDF

245.3 KB Created: 2010-07-10 20:01:51 +02:00 Authoring application: Adobe LiveCycle Designer 8.0
MD5: 63627800f3f16c0bdee0dd00b75b65f7 SHA-1: a8ba7913adbde7446f735c2e63f46c6b33ddd1f8 SHA-256: f7bc4b1f15591c6b7b0e9f047e385b006ab500fdfe68caaedb7eec8cb10b3500
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript and an embedded file, indicating a malicious payload. The document body presents a form requesting personal and financial details, suggesting a phishing or scam attempt. The presence of JavaScript and embedded files points towards an attempt to download and execute further malicious content or exploit vulnerabilities.

Heuristics 8

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0014.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x2DF2C 85 bytes
embedded_file_obj0015.bin
48cd1b8f47d80a268a5b63b7e5cc22439cd45a388d3db1f292d2edc912a40182		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x2DFE0 3318 bytes
embedded_file_obj0016.bin
4eaeaa8fd76f20c2b3880a2fade656a140dede830c0b7ffc75f5a5df19b1c11b		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x2E4C3 108066 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0017.bin
e928446dfd024aeb6e808b76c485095eecb7205baf030f52501734853f1bfda6		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x3AC16 817 bytes
embedded_file_obj0018.bin
071cd66a36d8e8da62bc11d33e44c1da53c0fba31dbb1d62083e7fcb353da0c0		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x3ADAE 7083 bytes
embedded_file_obj0019.bin
7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x3B1B9 214 bytes
embedded_file_obj0020.bin
5b87311daabc20f36d5ff6ba13ed4913a21e851f6bcf424297c02f94913129d8		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x3B2B4 799 bytes
embedded_file_obj0021.bin
b1b296d371e691ae903fc90e2f3bd69eeac3730137d7c7f5d9379aed02cb51d6		 pdf-embedded-file PDF EmbeddedFile object 21 at offset 0x3B4C4 110 bytes
javascript_obj0143_000.js
04ceb4c2218e7db19a6e007ca4ce846f92c17fff5eaf3a611e71bbd7a5726917		 pdf-javascript-stream PDF /JS object 143 at offset 0xC69 1535 bytes
javascript_obj0144_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 144 at offset 0xE55 870 bytes
javascript_obj0145_002.js
f818e05264775fea0eb227255ff8484376757141decbcbc69724ac650f3c7c50		 pdf-javascript-stream PDF /JS object 145 at offset 0xFB0 3795 bytes
stream_020_off000269d1.bin
61f62c6ab38f53bc4792813a8141798d141790e3561c10d8686b5f7bf30bec6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x269D1 35435 bytes
font_00_sfnt_off00004c32.bin
058d11642e857508126df5662db2c7af4bdc1892e73eea6fc33f2605a1fc3c20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C32 94875 bytes
font_01_cff_off000234be.bin
c6cd541a74bb9e31f941a73f9353f5ff865da8b50693928babe8efddc375625a		 pdf-font-stream PDF embedded font (cff) at offset 0x234BE 5304 bytes
font_02_cff_off00024a07.bin
34995292ff46f7d45bfc5719c97731fd7869f2b6053803f14908eeffd6525c4f		 pdf-font-stream PDF embedded font (cff) at offset 0x24A07 4705 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.