Malicious PDF — malware analysis report

Heuristics 15

• Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
  PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
• Launch action critical PDF_LAUNCH
  PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
• /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
  PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Stallings_Cryptography_and_Network_Security.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
• Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
  An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
• Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
  Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
• ClamAV: Pdf.Dropper.Agent-7224753-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Dropper.Agent-7224753-0
• ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
  ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
• /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
  PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
• Unusually high stream count medium PDF_MANY_STREAMS
  PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded file low PDF_EMBEDDED
  PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://williamstallings.com/StudentSupport.html)/S/URI

  • http://williamstallings.com/Crypto/Crypto4e.html)/S/URI
  • http://williamstallings.com/)/S/URI
  • http://www.ciphersbyritter.com/ARTS/CRNG2ART.HTM)/S/URI
  • http://www.certicom.com/)/S/URI
  • http://www.cryptography.com/dpa/technical/index.html)/S/URI
  • http://www.zeustech.net/
  • http://]hostname[:port]/path
  • http://csrc.nist.gov/encryption/aes
  • http://www.rsasecurity.com/rsalabs
  • http://web.mit.edu/kerberos/www/dialogue.html
  • http://www.cert.org/tech_tips/denial_of_service.html
  • http://www-cse.ucsd.edu/users/mihir
  • http://csrc.nist.gov/encryption/aes/round1/conf2/aes2conf.htm
  • http://wac.colostate.edu/
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://ns.adobe.com/xap/1.0/
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/pdf/1.3/
  • http://csrc.nist.gov/encryption/aes)/S/URI
  • http://www.rsasecurity.com/rsalabs)/S/URI
  • http://web.mit.edu/kerberos/www/dialogue.html)/S/URI
  • http://www.cert.org/tech_tips/denial_of_service.html)/S/URI
  • http://www-cse.ucsd.edu/users/mihir)/S/URI
  • http://csrc.nist.gov/encryption/aes/round1/conf2/aes2conf.htm)/S/URI
  • http://wac.colostate.edu/)/S/URI
  • http://www.redbooks.ibm.com/)/S/URI
  • http://www.schneier.com/paper-prngs.html)/S/URI
  • http://web.mit.edu/kerberos/www/papers.html)/S/URI
  • http://csrc.nist.gov/encryption/modes)/S/URI
  • http://www.rand.org/publications/classics/randomdigits)/S/URI
  • http://www.apache.org/

Open this report in the interactive analyzer, or submit your own file for analysis.