Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8bc0ba1175731c2…

MALICIOUS

PDF

337.7 KB Created: 2009-07-16 17:21:01 +02:00 Authoring application: Acrobat PDFMaker 7.0.5 for PowerPoint (via Acrobat Distiller 7.0.5 (Windows))
MD5: 0ef058364bae991b69a1247eca676a52 SHA-1: e67feff4c6f523440211718902631d216e76906d SHA-256: f8bc0ba1175731c25c9e8784d74fa49626bb97a4b95265f3364eb769a4b71daa
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

This PDF file was flagged as malicious by ML classifiers and ClamAV, identifying it as a dropper. It contains an embedded JavaScript payload and an external URI pointing to 'http://deis.novartis.intra/deis.asp?LBH589B'. The embedded script likely attempts to download and execute a second-stage payload from this URL, masquerading as an internal Novartis document to trick the user into visiting the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7490

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7325975-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7325975-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://deis.novartis.intra/deis.asp?LBH589B)/S/URI
    • http://deis.novartis.intra/deis.asp?LBH589B
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0004a7ad.js
086317b3d1e683e30da8ed5dd69061f66bc8b272630b72fdb72a1fb902e524b2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A7AD 4437 bytes
icc_00_off0004f6a5.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x4F6A5 3144 bytes
font_00_sfnt_off0005083f.bin
37eea59166ff3679eca2e5320e36daf637b1c9b8ccab698147641d383c9b3a75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5083F 12672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.