Malicious PDF — malware analysis report

Static analysis result for SHA-256 11ba6a1fc5e95e93…

MALICIOUS

PDF

13.77 MB
MD5: fb7c810a66be33108f30936fe2c95185 SHA-1: 2710a0778277d0c233e8d40ffd0becbf25d1622f SHA-256: 11ba6a1fc5e95e931669b76b33544cf272b8c802e6a600128e7bfe65e150aba5
580 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF exploits CVE-2010-1240 via a launch action that executes cmd.exe, which in turn is designed to launch an embedded executable disguised as 'acrobat_8_help.pdf'. The embedded JavaScript uses the `exportDataObject` API, confirming its role as a dropper. The presence of a malicious executable artifact detected by ClamAV and the critical heuristic firings strongly indicate a malicious intent to execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 16

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\acrobat_8_help.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://server/folder
    • http://www.color.org
    • http://www.zeustech.net/
    • http://]hostname[:port]/path
    • http://www.adobe.com/go/partner_public_acrobat_sdk_doc
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.adobe.com/go/partner_public_acrobat_sdk_doc)/S/URI
    • http://www.adobe.com/go/support)/S/URI
    • http://www.adobe.com/go/acr8_digital_editions)/S/URI
    • http://www.adobe.com/go/ext_icc)/S/URI
    • http://www.loc.gov/standards)/S/URI
    • http://www.adobe.com/go/accessibility)/S/URI
    • http://www.adobe.com/go/acrobat_developer)/S/URI
    • http://www.adobe.com/go/adobecom_acrobat)/S/URI
    • http://www.adobe.com/go/partner_public_opi2_spec)/S/URI
    • http://www.adobe.com/go/partner_public_pdf_ref)/S/URI
    • http://www.adobe.com/go/partner_public_acrobat_sdk)/S/URI
    • http://www.apache.org/
    • http://www.iec.ch

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
IComm_Standard.joboptions
c327569ef44fea830f0009a7d04d1de7c1f2d9d4b58de75b0905fa35cf8b5df3		 pdf-embedded-file PDF EmbeddedFile object 1936 at offset 0x8198FC 13741 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
acrobat_8_help.pdf
a4a8e9b1e25b2909e03de5b1935eaff295a4c97c4a1649d1ad10171fb9699070		 pdf-embedded-file PDF EmbeddedFile object 109309 at offset 0xDB9BC2 73802 bytes
Detection
ClamAV: Win.Trojan.MSShellcode-7
Obfuscation or payload: unlikely
javascript_obj109310_000.js
0f6a544bc62f6b55670e77d03928046b77a8cc097b46b16e76868f18d46d9860		 pdf-javascript-stream PDF /JS object 109310 at offset 0xDC4852 63 bytes
stream_005_off0000e6b6.bin
c985f881002be3bc3acc81dfdeb735f2b10e0ca60c080b9ac3aa2838fabc6ebf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE6B6 3883 bytes
stream_007_off0000fc49.bin
d6a066d74e6d5e161b86929b50975cd16ae893b67cdd723f7cda2d59c96112ff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFC49 10764 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
stream_041_off00020df2.bin
1017700478ba3fc82751e9ae960a863f99e46282149aeeb1f7066ce728a3f874		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20DF2 4012 bytes
stream_065_off0002f68f.bin
a6b5770e718b2f688df3c95673c22da4737684f77f8eff59be9bacc1fa008ce5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F68F 4875 bytes
icc_00_off0001606c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1606C 3144 bytes
font_00_cff_off0000b9e7.bin
0cd48bf6f5def3b9b403f5bdff39a6d10bd85db365266b8899565640b7289fab		 pdf-font-stream PDF embedded font (cff) at offset 0xB9E7 10682 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
font_03_cff_off0001294b.bin
1aecd2f421f13718609b8d83b73d2fa474de11a556800530c45f80c9fa3617f0		 pdf-font-stream PDF embedded font (cff) at offset 0x1294B 5952 bytes
font_04_cff_off000144f9.bin
ad0d73c153ec7e0aa6711cdffc8fb5c47f8be80907e93794e118e68ee679544e		 pdf-font-stream PDF embedded font (cff) at offset 0x144F9 7135 bytes
font_05_cff_off0003668b.bin
012615f74905f85d78add2e8e4aa0d067a045422494f741bdf8de211aa3e9d6d		 pdf-font-stream PDF embedded font (cff) at offset 0x3668B 383 bytes
font_06_cff_off00058de5.bin
d9241b668321fc83d179351b02222aab90f6b98dff0c6bc17f6d633574461881		 pdf-font-stream PDF embedded font (cff) at offset 0x58DE5 1479 bytes
font_07_cff_off0006a4fe.bin
2ab3518ca11655716c486784248bad4ae3fc87af8c8930257dacda86b4590e13		 pdf-font-stream PDF embedded font (cff) at offset 0x6A4FE 720 bytes
font_08_cff_off000af45e.bin
f480384be900a2208ec8af6afe588fcf39b983c1a38e9a98a023c502830d4ca8		 pdf-font-stream PDF embedded font (cff) at offset 0xAF45E 1652 bytes
font_09_cff_off00103d35.bin
877cce84409aa1c1bef39bcb7ccc83969f15dbd09b5564ad80f8fa3697196888		 pdf-font-stream PDF embedded font (cff) at offset 0x103D35 6653 bytes
font_10_cff_off00123536.bin
91fa0591d743f34585a7da4c3bb579e7e91cd9ef2c39adf0db4e67f9c808b864		 pdf-font-stream PDF embedded font (cff) at offset 0x123536 1291 bytes
font_11_cff_off0017940c.bin
8e8e59473b25121bfec1401cef708e886d7303a212f2d23b9302edf6286174a5		 pdf-font-stream PDF embedded font (cff) at offset 0x17940C 1081 bytes
font_12_cff_off001cad2e.bin
95b837a95733be429e270c06412fc7e0b988525b7e429021b35c538036700dcc		 pdf-font-stream PDF embedded font (cff) at offset 0x1CAD2E 844 bytes
font_13_cff_off002ac344.bin
87a2ed62eb92c57133e1b3d1ed873c21fe2d6c9062b5243eb9cc741356a2dce4		 pdf-font-stream PDF embedded font (cff) at offset 0x2AC344 1206 bytes
font_14_cff_off005792d4.bin
8b20a365fa42c082b023b2dc2e3016857ce9801c8859be2b0775af220f435956		 pdf-font-stream PDF embedded font (cff) at offset 0x5792D4 671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.