Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff256a19a444c1fb…

MALICIOUS

PDF

11.6 KB Created: Xncc9MI2 First seen: 2015-09-15
MD5: 00fde283d3bc4dcad19ac4e850eb8ec0 SHA-1: 10a408133ee7be47eecc567de6676a179ba911fc SHA-256: ff256a19a444c1fb30b1d2f20844ac75c1c3bccb0e16f77d063cc2e3c3163645
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The file is a PDF document flagged by a machine learning classifier as malicious. It contains embedded objects and XFA form elements, which are common vectors for PDF exploits. While no specific script was extracted, the presence of embedded content and the ML classification strongly suggest an attempt to exploit a vulnerability or deliver a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0011.bin pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x903 518 bytes
SHA-256: bf7f3dfe2eeadf0dff7fe5198fd9f75f44a38a40e022906d92def1915e4624e5
stream_000_off000000ea.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEA 1953 bytes
SHA-256: 9f6caaea3dfb51ce47bbc9a1b8d03c3570a7cd3fcc7cf213994241fc77fdbf66
Detection
ClamAV: No threats found
Obfuscation or payload: likely
91 of 129 identifiers look randomly generated (e.g. 'RWn51wKJeQslEE5R457pW4Rx6PJf29VjM0p1Rvcw') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.