Malicious PDF — malware analysis report

Static analysis result for SHA-256 163a1facb250e8ba…

MALICIOUS

PDF

222.3 KB Created: 2009-10-26 13:04:45 -05:00 Authoring application: LaTeX with hyperref package (via pdfTeX-1.40.3)
MD5: aab0d6f47cae95a0c698bbc4da7c4e54 SHA-1: 33ff78013f8bd80fc7107db6b2c07a7dc00bacfb SHA-256: 163a1facb250e8bade23cac56023485b8ee8d717fb0d924fad99603e3f1f9197
562 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

This PDF file contains embedded JavaScript that triggers a launch action for cmd.exe, which in turn attempts to execute an embedded Windows executable disguised as 'users_guide.pdf'. The embedded executable is detected as a malicious payload. The use of a launch action combined with an embedded executable payload is a common technique for delivering malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 17

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\users_guide.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://127.0.0.1:55555/
    • http://www.uninformed.org/?v=1&a=3&t=pdf
    • http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
    • http://www.metasploit.com/
    • https://bugs.launchpad.net/bugs/282302
    • http://metasploit.com/framework/download/
    • http://metasploit.com/framework/support
    • http://subversion.tigris.org/faq.html#proxy
    • http://www.metasploit.com/documents/meterpreter.pdf
    • http://spool.metasploit.com/
    • http://marc.info/?l=bugtraq&m=104612710031920&q=p3
    • http://www.metasploit.com

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
users_guide.pdf
c22342c29dbecc0bb1f5e27c11b585f670fe5f264300faa0bbe1be9869724a34		 pdf-embedded-file PDF EmbeddedFile object 477 at offset 0x2ED04 66560 bytes
javascript_obj0478_000.js
a8e0025aba07b8e30a4ff8ec082b173c5f1987520ae4a404f054aa61dd32dea2		 pdf-javascript-stream PDF /JS object 478 at offset 0x37508 60 bytes
stream_027_off00013093.bin
98b4c9d62a1d55ba5c43f20cc3acac57ab4a47bd28f69efcb1500d7796b3fe92		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13093 9832 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_00_type1_off0001568a.bin
60b30b84dd9c5c5252d45e27e7a7e249447bef3e349a4f842aba359909dc48f1		 pdf-font-stream PDF embedded font (type1) at offset 0x1568A 10861 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_01_type1_off00018036.bin
e6fc6804f3f03b066f2f270a2931efc6f494bfff84a593cbf588bffc17e520b3		 pdf-font-stream PDF embedded font (type1) at offset 0x18036 17591 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_02_type1_off0001c3c6.bin
5d2b51b74060f9561f0131a8e74384197374bf191b9eb35bf4b4a8d04bfadd02		 pdf-font-stream PDF embedded font (type1) at offset 0x1C3C6 3288 bytes
font_03_type1_off0001d0e9.bin
29285ea75d9663dd2bf6af3bd3bae40e82ea4851ef9bb55cd917eeff15aea4b5		 pdf-font-stream PDF embedded font (type1) at offset 0x1D0E9 4794 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.77, consistent with packed or encrypted content.
font_04_type1_off0001e3b0.bin
4b2e74a3d572b425d807f80f59917fc7b2a4bd9fdaddbd487b3520ff1f0f4017		 pdf-font-stream PDF embedded font (type1) at offset 0x1E3B0 1963 bytes
font_05_type1_off0001ebd7.bin
dbab26b9e9d89bbb0d00262461da26e552a1b1ed12e88fede3e572aad218c190		 pdf-font-stream PDF embedded font (type1) at offset 0x1EBD7 1954 bytes
font_06_type1_off0001f3f5.bin
40fbf7968458fa48582d153167dc0d0eb407bc388a98296d8e8212b51bab7ee7		 pdf-font-stream PDF embedded font (type1) at offset 0x1F3F5 6518 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.82, consistent with packed or encrypted content.
font_07_type1_off00020d3e.bin
b49c2c086e9c589c6242d405a570a07fdba211181af8821afdbe9eeefd427c13		 pdf-font-stream PDF embedded font (type1) at offset 0x20D3E 1326 bytes
font_08_type1_off000212d9.bin
c01f655b28cb429b1871e22dd89fa78fd8202b582539c7324a543c408d8df743		 pdf-font-stream PDF embedded font (type1) at offset 0x212D9 3910 bytes
font_09_type1_off00022273.bin
e59fa527cc81f200139dc3e59f50f0f216df954cdbbd7122cd28b13374a43178		 pdf-font-stream PDF embedded font (type1) at offset 0x22273 14877 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_10_type1_off00025ba6.bin
c966544533a4b24b4a363a64cbca036c550b152652663100f2bcc226b37d6be3		 pdf-font-stream PDF embedded font (type1) at offset 0x25BA6 12677 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_11_type1_off00028c51.bin
2a515d3352f53ccc7dccfa2dd9f82c79ce31cc7ade17182ab62d3a69a8bd8da7		 pdf-font-stream PDF embedded font (type1) at offset 0x28C51 3814 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.