Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c3d21dda6fa0cee…

MALICIOUS

PDF

155.4 KB
MD5: 974ddc8b7bffbb68738b6f57b3217e4c SHA-1: 519f8b56359da235c82143c6b3da5bcc742c5504 SHA-256: 0c3d21dda6fa0cee6500469492d0d4d149b0fa67d7e1f837f1a39481142c7af7
334 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1059.005 Visual Basic

The PDF contains embedded JavaScript and a launch action that executes cmd.exe. This command chain is designed to create a VBScript file named 'vbs1.vbs' which likely downloads and executes a second-stage payload. The exploit CVE-2010-1240 is specifically mentioned in the heuristics, indicating a known vulnerability is being leveraged.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 8

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=028-1529148-8414775
    • http://www.amazon.com/gp/help/customer/display.html?ie=UTF8&nodeId=508088
    • http://www.amazon.com/gp/help/customer/display.html?ie=UTF8&nodeId=468496

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000380a.bin
40abd21cc16d7f47deccc3a181fad013ee9391fed16bacfc36cd3459490f7ecc		 pdf-embedded-script PDF decompressed stream script payload at offset 0x380A 90 bytes
font_00_sfnt_off000028eb.bin
c9fd5a26f00cc25910c34358452dfcfed6f208fd0369a9c7e1d7d1a25cf028fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28EB 7740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.