Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc33dba0dea46fa6…

MALICIOUS

PDF

176.1 KB Created: 2009-01-04 12:49:30 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 829a19e24c90be375ed0dd035d3630cd SHA-1: 363540ba48a607baa49add0d740824acf3fac662 SHA-256: fc33dba0dea46fa632e2f6f23b57e0c8fc4d39a5d59239fcabc4e9f9e056815f
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript and an embedded PDF file, both of which have suspicious static findings. The JavaScript stream and the embedded PDF are likely used to execute malicious code or download further stages. The presence of these embedded objects strongly indicates a malicious intent, likely for delivering a secondary payload.

Heuristics 6

  • Embedded PDF child has suspicious static findings high PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000011f1.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x11F1 1320 bytes
UR_M36_Rev.3_Sept_2008CLN.pdf
24b81fc904f1b495d1f69c7569a156a763cc0bac96f1226c7061120f20c36aff		 pdf-embedded-file PDF EmbeddedFile object 142 at offset 0x15CB3 21447 bytes
UR_M35__Rev.5_Aug_2008_CLN.pdf
82b157c9a2109ba0f2894ecdee9c93f3cc3560c3a12ac61c06048ab18236e05c		 pdf-embedded-file PDF EmbeddedFile object 143 at offset 0x20113 16901 bytes
javascript_obj0232_000.js
97e6c8fb70f6fedab160a41095c99dce3c9d53a0086d3a8d4e6d47cbe03dce61		 pdf-javascript-stream PDF /JS object 232 at offset 0x72C 1946 bytes
icc_00_off0000259b.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x259B 3144 bytes
font_00_sfnt_off0000d12c.bin
2b1c7d0343d588de000d3a53b9c02bf4a7551f1dadce909c9489c513e8276579		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD12C 47668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.