PDF static analysis report

Static analysis result for SHA-256 f7c0301f61567c43…

CLEAN

PDF

3.16 MB Created: 2014-03-27 09:32:29 -05:00 Authoring application: Adobe InDesign CS6 (Macintosh) (via Adobe PDF Library 10.0.1) First seen: 2015-09-24
MD5: aba3fde36c2f2497f0074954ec866b99 SHA-1: 5af26b6712e1fadb62517705076278734073fa18 SHA-256: f7c0301f61567c4360edb92a3fa148c41cd612442a25967869d51b8a285bf60f
6 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript T1204.002 Malicious Link

The PDF file contains embedded JavaScript and is flagged for a JPXDecode-related vulnerability (CVE-2018-4990 family). This suggests an attempt to exploit a PDF viewer vulnerability to execute code. The embedded JavaScript is likely responsible for initiating the exploit chain. Several unknown URLs were also found within the document, which could be used for command and control or further payload delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.0007

Heuristics 3

  • JPXDecode + active content — JPEG2000 CVE-family indicator info CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org In PDF document text
    • http://www.mitutoyo.comIn PDF document text
    • http://www.color.org)/S/GTS_PDFX/Type/OutputIntentIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Font#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00002560.bin pdf-font-stream PDF embedded font (cff) at offset 0x2560 5464 bytes
SHA-256: 364c211c69033492601ae35f0529a80f1f7cff1a066a8c25d2491480fe9a64f9
font_01_cff_off00003805.bin pdf-font-stream PDF embedded font (cff) at offset 0x3805 4525 bytes
SHA-256: 7dbb46a62615e71112d3f098ffd8a764c1e3ffe852a2c504cb38bae6915f7599
font_02_cff_off00004736.bin pdf-font-stream PDF embedded font (cff) at offset 0x4736 4696 bytes
SHA-256: 993b8fab1a2e2c2fecab59346954e588bb94d86146a5aae54b379c4d513d5cb6
font_03_cff_off000057f3.bin pdf-font-stream PDF embedded font (cff) at offset 0x57F3 1699 bytes
SHA-256: 1351d470a97892357d4ac14a0891416a03b109b1d7b72b6e20c00b40b2400477
font_04_cff_off00005cfa.bin pdf-font-stream PDF embedded font (cff) at offset 0x5CFA 2254 bytes
SHA-256: 0a1d64303716e3d6fbb0812ab1b5528b554651bccdf8c5dfbe5ba3d68a455bb9
font_05_cff_off0029a239.bin pdf-font-stream PDF embedded font (cff) at offset 0x29A239 2736 bytes
SHA-256: 1f6341e992be7fbc8062cb233ec642a8c1827613da411817fc0799e492411798
font_06_cff_off0029ae1d.bin pdf-font-stream PDF embedded font (cff) at offset 0x29AE1D 1534 bytes
SHA-256: 3a1be6d2fe12a5db6bb996b31c8c32df551a9d89b3d35f4bde196ce636a323e2
font_07_cff_off0029b55e.bin pdf-font-stream PDF embedded font (cff) at offset 0x29B55E 3287 bytes
SHA-256: ca38af2f47562334fbdf8e1c53ab4489c367570b38be783752a4058d744f48ad
font_08_cff_off0029c282.bin pdf-font-stream PDF embedded font (cff) at offset 0x29C282 3755 bytes
SHA-256: fa39f9cd3fe30bef3c90289775f62d621a586c9d9be30f9d4c34fcb898696f77
font_09_cff_off0029cfa4.bin pdf-font-stream PDF embedded font (cff) at offset 0x29CFA4 2215 bytes
SHA-256: ee92b265ab95283db69680dbc39b271bbd793f2a7eea44d77d39309c81089396
font_10_cff_off002bfa0c.bin pdf-font-stream PDF embedded font (cff) at offset 0x2BFA0C 3688 bytes
SHA-256: aa8d6ae1906f4c316ffb3b2d2bad079e4178c2a5d10c1612b731bebaf40216a5
font_11_cff_off002c0ae7.bin pdf-font-stream PDF embedded font (cff) at offset 0x2C0AE7 1641 bytes
SHA-256: c43ef47096b79d839044106127f0334fdf9db3e702316ff3ee5cdf6cd85b074d
font_12_cff_off002c3d9a.bin pdf-font-stream PDF embedded font (cff) at offset 0x2C3D9A 1358 bytes
SHA-256: 35c0743ee1a7be73e1a0a5ecfcc0a4cb894ead7f850563f25f879bd05612418c
font_13_cff_off002c5675.bin pdf-font-stream PDF embedded font (cff) at offset 0x2C5675 2835 bytes
SHA-256: 6544ae53afbfe2baab70279b066d42b498a510afb0b276d4e6e89b6944eff155
font_14_cff_off002c6116.bin pdf-font-stream PDF embedded font (cff) at offset 0x2C6116 3846 bytes
SHA-256: 14166707d451680ba4f73589f55b4ea771cdf736a63d9837b344d972195ae607