Malicious PDF — malware analysis report

Static analysis result for SHA-256 16a05c5b2e8d8cbd…

MALICIOUS

PDF

2.78 MB Created: 1/1/2003 2:43:48 Authoring application: PScript5.dll Version 5.2 (via GNU Ghostscript 7.05)
MD5: f56856b522eec295a6ad5e169599a187 SHA-1: deb777d5267d98b92e2ac8eccc6a0fdc3c8e55dc SHA-256: 16a05c5b2e8d8cbdec09246346ed442f802bb053477f917707bc76bed45b786a
354 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute a command. Specifically, it uses cmd.exe to create and run a Visual Basic script, which is designed to download a second-stage payload. The embedded script and the launch action strongly suggest a malicious intent to execute arbitrary code on the victim's machine.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 9

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > loled1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gcc.gnu.org/onlinedocs/gcc/C---Dialect-Options.html#C++%20Dialect%20Options

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000114f2.bin
7f1c464046be7883d9034a9e4e7538dbc223c2123f271bebc4b3bade0e794082		 pdf-embedded-script PDF decompressed stream script payload at offset 0x114F2 2911352 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
font_00_sfnt_off000044fd.bin
3dd973d10a64628a1c3c79d3b6fdd249a4cb299f1a773f855826dfacdd19c717		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44FD 15400 bytes
font_01_sfnt_off000067cc.bin
58724ed361f5b9852e36ae61c32f82a27dad1c6f0c7c85ba7d53da5c959ee95b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67CC 23948 bytes
font_02_sfnt_off0000a41d.bin
951b9d7dcb9bd3d3abe0f1cd965dd32bfb2da1b23ad34b773d31bc97e9224cb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA41D 13596 bytes
font_03_sfnt_off0000c1b1.bin
dafd8d2d9028ee88e2be01004c0f25914053935952ae6c014d24fc99b8b73560		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1B1 22176 bytes
font_04_cff_off0000f822.bin
52b3e1c1f84e3ec89fbc29934d2eab5b9d7bad21f64a7b6c1d086bafbfd1ba85		 pdf-font-stream PDF embedded font (cff) at offset 0xF822 3267 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.