Win.Trojan.Swrort-5710536-0 — PDF malware analysis

Static analysis result for SHA-256 0369cdabfd4beb55…

MALICIOUS

PDF

58.7 KB Created: 2009-08-30 00:20:17 UTC Authoring application: AdobePS5.dll Version 5.2.2 (via Mac OS X 10.5.8 Quartz PDFContext)
MD5: 9f115a28e1dc692dda0c54415c688339 SHA-1: 07072a7ad8d39784b703a0ccbe1da7995251c3c2 SHA-256: 0369cdabfd4beb55a93a9fc69b3f2d244d0d3544827855f8fa12c8a5cbe37768
456 Risk Score

Malware Insights

Win.Trojan.Swrort-5710536-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains embedded JavaScript that attempts to launch an embedded executable payload. The embedded file is detected as Win.Trojan.Swrort-5710536-0, and the JavaScript uses the 'exportDataObject' function to trigger the execution of this payload, likely downloaded from one of the unknown URLs. The exploit chain indicates a malicious intent to deliver and run malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 11

  • Adobe Reader Launch/export embedded executable chain critical CVE likely CVE_2010_1240_EMBEDDED_PE_EXPORT
    PDF combines a /Launch action with an embedded-file name tree, exportDataObject JavaScript, and embedded executable bytes. This matches the CVE-2010-1240 Launch-file abuse chain even when the Launch dictionary does not expose the stricter cmd.exe /Win shape.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Win.Trojan.Swrort-5710536-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Swrort-5710536-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.zeustech.net/
    • http://]hostname[:port]/path
    • http://www.apache.org/
    • http://www.iec.ch

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
form.pdf
c40da68442a72848b62dffc341cb67fafc49d3ca6b04a909bcd8152b919920c0		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x38A6 73802 bytes
Detection
ClamAV: Win.Trojan.Swrort-5710536-0
Obfuscation or payload: unlikely
javascript_obj0015_000.js
eff4a0943aaff2d99cb5c8666337775c91d4d5f687782df94d2c5fc77becde7f		 pdf-javascript-stream PDF /JS object 15 at offset 0xE574 53 bytes
icc_00_off000003fb.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3FB 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.