Malicious PDF — malware analysis report

Static analysis result for SHA-256 1487a2100f4ffe2a…

MALICIOUS

PDF

669.4 KB Created: 2012-02-25 12:04:21 +05:30 Authoring application: Adobe PageMaker 7.0 (via Acrobat Distiller 8.1.0 (Windows))
MD5: d89516ca500ced7011e63ad4451b77b4 SHA-1: 92a54fa485a2792261cbc0724e5c2193e759c927 SHA-256: 1487a2100f4ffe2a986c3b792c18ba63762ed383ff153b67c81ea3ed71d420e5
526 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that triggers a launch action, executing cmd.exe. This action is designed to export an embedded file named 'chapter1.pdf', which is actually a Windows executable payload. The embedded executable was detected by ClamAV as Win.Trojan.MSShellcode-7, indicating a malicious payload. The exploit chain matches CVE-2010-1240.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 14

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\chapter1.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.zeustech.net/
    • http://]hostname[:port]/path
    • http://www.monotype.comhttp://www.monotype.com/html/type/license.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.apache.org/
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATION
    • http://www.iec.ch

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
chapter1.pdf
373ef3f754fafc733020eb87a42b4c0b85b5e0decb46ce68d96af1bc9b046e32		 pdf-embedded-file PDF EmbeddedFile object 1024 at offset 0x9C229 73802 bytes
Detection
ClamAV: Win.Trojan.MSShellcode-7
Obfuscation or payload: unlikely
javascript_obj1025_000.js
9f2bf398540e982991927a9a681a21a171e4a2942b98b38561bb0c4bdafe0f31		 pdf-javascript-stream PDF /JS object 1025 at offset 0xA6EFC 57 bytes
stream_044_off00040111.bin
47a4c5a45ebac005bd0066b3744f43dc55580d11b7befe7356e010c61617aa11		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40111 224990 bytes
icc_00_off000028f6.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x28F6 3144 bytes
font_00_cff_off00001a4e.bin
3ad137e1d6f68a899f1d8a255477e16cf58c3b1da114a2f3a86492479bc8d608		 pdf-font-stream PDF embedded font (cff) at offset 0x1A4E 483 bytes
font_01_cff_off000366ec.bin
1c41f2018bb6a001b57464f0a38a0a1b1f26770fa80ecda0d62329df8828baeb		 pdf-font-stream PDF embedded font (cff) at offset 0x366EC 633 bytes
font_02_cff_off00036a9c.bin
35472e882bd88965db7a50f285114c7fdf0bacc8a381c23d2bd9dffeb9776ef8		 pdf-font-stream PDF embedded font (cff) at offset 0x36A9C 1542 bytes
font_03_sfnt_off00037a65.bin
4b7fc96e9b2c97ab82e7855463a7ac9c0ab35b847e3e213fda897e817667b32f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37A65 6340 bytes
font_04_sfnt_off00038b8f.bin
2887fc63eab166d6e45b4721d7db7401e198b5ca332d8c2751fa478f7ce12f44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38B8F 7984 bytes
font_05_sfnt_off0003a4cf.bin
c296fc8e789017c765df8d4977e2598c64e536f7bc2338cd193820e598c2bb7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A4CF 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.