Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c7f33ee5cd4b364…

MALICIOUS

PDF

2.47 MB Created: 2024-12-13 16:48:51 UTC Authoring application: GPL Ghostscript 9.55.0 First seen: 2026-06-14
MD5: 829dce1744219b1cc54016509bfd0996 SHA-1: 0f78d9977ea7a7b0cfb365683b5000b5dc08c525 SHA-256: 0c7f33ee5cd4b3647dc073b05a477e10a8778de11dc970fe508deeb6c5bde985
488 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9743

Heuristics 14

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\1234.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.emlakmusavirleri.org/index.php/turk- PDF link annotation
    • http://www.emlakmusavirleri.org/index.php/turk-emlakcilik-standardi-yeni-taslak/)/Type/ActionPDF link annotation
    • http://www.emlakmusavirleri.org/index.php/turk-emlakcilik-standardi-yeni-taslak/PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#PDF link annotation
    • http://ns.adobe.com/iX/1.0/PDF link annotation
    • http://ns.adobe.com/pdf/1.3/PDF link annotation
    • http://ns.adobe.com/xap/1.0/PDF link annotation
    • http://ns.adobe.com/xap/1.0/mm/PDF link annotation
    • http://purl.org/dc/elements/1.1/PDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouPDF link annotation
    • http://www.microsoft.com/typography/fonts/default.aspxPDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://www.fonts.comYouPDF link annotation

Extracted artifacts 23

Files carved from inside the sample during analysis.

FilenameKindSourceSize
1234.pdf pdf-embedded-file PDF EmbeddedFile object 1030 at offset 0x276E25 7168 bytes
SHA-256: 6c85b60de23eb862a02e3f5936bc44b9371286d6ababf1dfd7aeb5b1cc72e3a4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=1234.pdf; kind=pdf-embedded-file Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALPROTECT, SC_PEB_ACCESS, SC_PUSH_STRING Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect
javascript_obj1031_000.js pdf-javascript-stream PDF /JS object 1031 at offset 0x2771D4 53 bytes
SHA-256: 936258f21049be2fb5f96b672d42e594952dd51968533a29e9d2ce690c2c51ab
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "1234", nLaunch: 0 });
font_00_sfnt_off00228e71.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x228E71 33000 bytes
SHA-256: 255415fa42bd507db09ba4c81897b332888da05df6cf01abc9f40485cf4c606c
font_01_cff_off0022ba93.bin pdf-font-stream PDF embedded font (cff) at offset 0x22BA93 236 bytes
SHA-256: 2bb2201d4af29f518e0125e4a49b81fd3bdb28bd3d3df9e8d3f3a0c77ee36590
font_02_sfnt_off0022bcde.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x22BCDE 75644 bytes
SHA-256: 1b3d4d20b20244297644a89b3feeea71e137cc2fd49a1cd44726270112056a64
font_03_sfnt_off0023558d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23558D 57280 bytes
SHA-256: 56f102f89262ce869df13f2ed38818eaa8e540f0caa7c15741e6b034e6a457ec
font_04_sfnt_off0023a417.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23A417 57212 bytes
SHA-256: 40a5601c858aa0e9c019dc71b15a377e454b7f2915198aca9bd8789ea1f2f18d
font_05_sfnt_off0023f277.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23F277 84840 bytes
SHA-256: ac5123d8a6a73022648616a428550cbdd5e0361889a3a7deaea875030968fdfb
font_06_sfnt_off00246cd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x246CD9 28488 bytes
SHA-256: d7e132e3be974e9bb1daf3c05b6483db2bf3f2141ffa52c5c355ad0eece53396
font_07_sfnt_off00249c93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x249C93 38344 bytes
SHA-256: 6fc5a82a69a741dbb53c4be7983d6176abd04cb6cf1bd15e02eeeb10e74bbebe
font_08_sfnt_off0024dba2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24DBA2 51948 bytes
SHA-256: e467bbc48644758780d339509c267026a06476cf77efa27b4c90ddcac2ac82ad
font_09_sfnt_off002513ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2513FF 29136 bytes
SHA-256: 63a7cc0fd8666ff326a37b37f990a1c3d67a15b0a57546544ac85c3546eff3c0
font_10_sfnt_off00253007.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x253007 35604 bytes
SHA-256: 02ecf6ed847828fbc84cbbca3bb56deb64999c218c4f17368af6d3b466b352c7
font_11_cff_off0025580d.bin pdf-font-stream PDF embedded font (cff) at offset 0x25580D 262 bytes
SHA-256: af54c07c9f0a10484b321853cef65fd1b3cacb066e19f6af56028698fe4d6a86
font_12_sfnt_off00255a3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x255A3D 5160 bytes
SHA-256: cb4e588a567db9f3da8aaf96785562170f85d5a310902bd314f605af7d39b793
font_13_sfnt_off002565b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2565B0 55268 bytes
SHA-256: e88adc1e67782e16f9846e08f711b8c07031fa60efe139ff7d7b06fd11a35155
font_14_cff_off0025d3e2.bin pdf-font-stream PDF embedded font (cff) at offset 0x25D3E2 264 bytes
SHA-256: 6116756ce8ec702dc1db2df2c1ad8eadc82bfad2f23571e4896691061cf5af45
font_15_cff_off0025d6f8.bin pdf-font-stream PDF embedded font (cff) at offset 0x25D6F8 8529 bytes
SHA-256: 4489e115651a138fdcda9248e73cd5bc5840593bbcd9ea962d0d4d534ebb12c7
font_16_sfnt_off0025f569.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25F569 47944 bytes
SHA-256: a096b7b60abf2cc7cc8260af4fa22a40a6d1b27de8bb520e2f85e12a8ac5a431
font_17_sfnt_off002633ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2633ED 5132 bytes
SHA-256: 7a22e12d48be1c07b29315dd546f3c11360ff30da1e92c49707502e31c9e3b5e
font_18_sfnt_off00264058.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x264058 51756 bytes
SHA-256: 35ab0d2b80d7d26ed184dc8e176cf807dc2e1f7586524c8da49fff2ad1971459
font_19_cff_off00268879.bin pdf-font-stream PDF embedded font (cff) at offset 0x268879 7631 bytes
SHA-256: 1cb137766dcdb34d9fe99c3614b882bc93eb9eadb976f3e264ac7a4e98be0b66
font_20_sfnt_off0026a40c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26A40C 57308 bytes
SHA-256: d13d6eaff8cd378aae3aa0b6350d67fa76ab30ac921205b7cc259420fe02b5ff

Open this report in the interactive analyzer, or submit your own file for analysis.