Malicious PDF — malware analysis report

Static analysis result for SHA-256 f99a1a4c7b322a79…

MALICIOUS

PDF

694.4 KB Created: 2010-09-20 10:36:57 +08:00
MD5: d951f31da1f2229bb817491515900eff SHA-1: 19f658da796cbd54732d47c42bb1a89646f6b792 SHA-256: f99a1a4c7b322a7931b5871a7764c9e5cb070fed7d6c99bd1ea8e47cb40175be
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple high-severity heuristic firings, including an embedded Flash object and a remote GoTo action. The ML classifier also flagged it as malicious with a high probability. The presence of an embedded Flash object and a remote redirect action indicates a strong likelihood of an exploit attempt or redirection to malicious content. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9690

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Remote GoTo action medium PDF_GOTO_REMOTE
    PDF references a remote or embedded document via GoToR/GoToE with an extension-less or unresolved target
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jit.swf
4ede3062e31adcb354c6c4875ca2489187cc712e2d22e939de4cb3a373cb7d3d		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0xF7 1171 bytes
VCtGUAj.pdf
0a16e0f1e2bb2a17ccc6dc8278478af8df86f38b445fc2606d18ca079a150213		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0xB08 411 bytes
VCtGUAj_1.pdf
f83ee74cd4c1bc3879088bb31e79d7a6b6305990613cdf5f068a0a871388ed65		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x8B14 350 bytes
polyglot_child_pdf_off00000b08.pdf
1acbb9405b6bdfdb0adff46e7ad7be0e70d1fa4a62563c1e437040d2f1380d10		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB08 708209 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.