Malicious PDF — malware analysis report

Static analysis result for SHA-256 f943a7ff49726af2…

MALICIOUS

PDF

155.6 KB Created: 2011-04-25 22:48:14 +08:00
MD5: 00c72eca251890662cadc705f4c2244f SHA-1: 00b9b6ac2778c758a964b9acc643c8ce2762bd51 SHA-256: f943a7ff49726af216b57d2ae7c31571b39205fd816a23b1c5d70555e33c8f2a
138 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is a PDF file flagged as malicious by an ML classifier and exhibits multiple high-severity heuristic firings related to embedded content and potential exploits. Specifically, it contains embedded files and rich media (Flash), and a secondary embedded PDF with suspicious static findings. The presence of these elements suggests the PDF is designed to exploit vulnerabilities and download additional malicious content, although no specific URLs or scripts were extracted for direct analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9094

Heuristics 4

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_013_off000180fb.bin
58be295cc939702bba570dda5a581d6a37a13cee027e151c215fc101faa3af4b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x180FB 75176 bytes
objstm_0026_00.bin
a857974669b840d75523cf076c96d626e5e0fa5284200c320ba77d68058c256a		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1061 bytes
icc_00_off000137aa.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x137AA 3144 bytes
font_01_sfnt_off000245f0.bin
2721a08a68a4e47e8fa495ca2203426127050ed6d728b24894f604aa1aa6dd00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x245F0 2984 bytes
polyglot_child_pdf_off00011773.pdf
fa76ba31a1869f09df3591f56e957f4ac8e3555d0850beb3f236ae22f16e31d5		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x11773 87772 bytes
polyglot_child_pdf_off00025662.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x25662 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.