Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa23f7b6bf50264c…

MALICIOUS

PDF

334.2 KB Created: 2010-02-23 12:29:53 -08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 8b953be49251101f5f67021a33792529 SHA-1: 5f6fde39299586e73b510b0ec403f988a5b1be1f SHA-256: fa23f7b6bf50264c4e85ff6d980395bb4a1f36d3047867540845feadaa2db6a9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was identified as malicious due to the critical heuristic firing for an embedded Windows executable payload. The PDF also contains JavaScript and XFA form elements, which could be used to trigger the execution of the embedded payload. The primary IOC is the embedded executable file itself, which is likely the second-stage malware.

Heuristics 8

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0002.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x19FA 85 bytes
embedded_file_obj0003.bin
0cae1494b9c99505bf126e683a1a8be36bc8d5e793ab829e266d6e2fd62ccac3		 pdf-embedded-file PDF EmbeddedFile object 3 at offset 0x1AAC 1466 bytes
embedded_file_obj0004.bin
1b57e7c1e4bc1f8daf7cdf9c6223b19580c93789063a99232ed1cb040470df13		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1D6B 9148 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
embedded_file_obj0005.bin
f47c3dc8c4eeb64abc2cc332be719add15af6ce6dfdcdb477c08a1aefdbe7477		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x290F 11740 bytes
embedded_file_obj0006.bin
226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56		 pdf-embedded-file PDF EmbeddedFile object 6 at offset 0x2AD7 2928 bytes
embedded_file_obj0007.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x2E44 200 bytes
embedded_file_obj0008.bin
d51b9fc28b592405fb598e711d1495e1421571073bc2e8542d55389768716c06		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x2F37 835 bytes
embedded_file_obj0009.bin
e65f1e07bc965092b3153e64a1e8777a909cc47a98c0e2a10d38c47def2e6652		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x3110 291 bytes
stream_002_off000003e1.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E1 1532 bytes
stream_003_off000005cc.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5CC 870 bytes
stream_008_off0000112a.bin
8358d835225babc82acbcbbf2cb07512b8fb3772c5b46ff5956d2c6d02da8c39		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x112A 3024 bytes
embedded_pdf_00010737.exe
684d56f92afb01638ac80ce43a0d95bc046deed3e9bb4dc58acf9f4383279801		 embedded-pe PDF raw stream PE payload at offset 0x10737 8200 bytes
font_00_sfnt_off00025d4e.bin
491cf0647110f094ac3b4355805c008b0475302ea4ffa2fc70dfb3bc7ea70982		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25D4E 198004 bytes
embedded_pdf_0002062a.exe
46c0477cc86a36817eae9d2e7d62ee7f12e0b796a9aecee616f49c93deb11759		 embedded-pe PDF decompressed stream PE payload at offset 0x2062A 104773 bytes
polyglot_child_pdf_off0001994f.pdf
a9396554b8f822a56670ed1bd550a3bd72e4136a36cc9a4e2b0801829ba35c2f		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1994F 237433 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.