Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fc2439b0493b432…

MALICIOUS

PDF

2.65 MB Created: 2010-06-03 00:17:46 +10:00 Authoring application: Writer (via OpenOffice.org 3.2)
MD5: 6a2872bcd9e5ce341f208dfb6565d80e SHA-1: 4811f97a0e7ef12f3076a304504a6af90df674e6 SHA-256: 0fc2439b0493b4324bde1950a732dc9d6cc1e9bd2b4667f0ad38cd53058af82c
584 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1105 Ingress Tool Transfer

This PDF file exploits CVE-2010-1240 to execute cmd.exe, which is then used to download a secondary payload from http://pd.mine.nu/PDF.exe. The embedded JavaScript and the ClamAV detection (Pdf.Tool.Agent-1388586) strongly indicate malicious intent. The URL http://gagabux.com/register.php/cullen24.html is also present, likely as part of the download or redirection chain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8237

Heuristics 15

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C (cd %temp%' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gagabux.com/register.php/cullen24.html
    • http://pd.mine.nu/PDF.exe

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000de419.bin
a51783717376300b7442d91b65b6c754b2cab1a12585183cd9a05e96fcc74a76		 pdf-embedded-script PDF decompressed stream script payload at offset 0xDE419 2782491 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: likely
Carved artifact contains 4 shell/COM execution token(s). Carved artifact contains 4 long base64-like blob(s).
font_00_sfnt_off0003852e.bin
f1774a9d21ced6975b78d8668b5b592d0a95325bb2d147ebd230c32f9309c97e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3852E 48100 bytes
font_01_sfnt_off000409a0.bin
e8ad45fff6502ba8f2835c27a55f2dea034846e8567b76ba1ad2ac853201f44f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x409A0 31516 bytes
embedded_pdf_script_00097e48.bin
ce838b81529a7c817fb9383401b924db481769a41b4c032451fa99fa735db4a6		 pdf-embedded-script PDF decompressed stream script payload at offset 0x97E48 2494282 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: likely
Carved artifact contains 4 shell/COM execution token(s). Carved artifact contains 3 long base64-like blob(s).
polyglot_child_pdf_off000465e7.pdf
449db52f5a2aeb7a43f43b321d58e1db5c58386ad1343ba5ef59028866f24d9c		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x465E7 2494360 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: unlikely
embedded_pdf_script_000de419_1.bin
a5d0a3c73b5b0b8345b3e473fbe1f17da49a176ca29c368e77d001d1489035c5		 pdf-embedded-script PDF decompressed stream script payload at offset 0xDE419 1870718 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: likely
Carved artifact contains 4 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).
polyglot_child_pdf_off000de9cd.pdf
7ed32499b69f86c8ea2b55892491eb883213d86686aa89d6a1798a417a506e54		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xDE9CD 1870770 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: unlikely
embedded_pdf_script_00097e48_1.bin
785bad6efecce9744f9c815c46d05cd326a0b3e0b18cbcdbe6ea6f303f562bac		 pdf-embedded-script PDF decompressed stream script payload at offset 0x97E48 1582509 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: likely
Carved artifact contains 4 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off00124fb4.pdf
acdccc0f68ddc9216c6acf59e8bc9e8266c066e9270a82ccbc60c11701cc8176		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x124FB4 1582539 bytes
Detection
ClamAV: Pdf.Tool.Agent-1388586
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.