MALICIOUS
324
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
This PDF file contains a critical PDF_LAUNCH_COMMAND heuristic firing indicating that cmd.exe is executed with specific parameters. This execution is chained with an embedded PE payload, as indicated by the PDF_EMBEDDED_PE_PAYLOAD heuristic. The CVE_2010_1240 technique is specifically matched, confirming the exploit of a launch action for command execution. The embedded executable payload is the primary malicious artifact, likely intended to further compromise the system.
Heuristics 9
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C (if exist "%HOMEPATH%\\My Documents\\100820310.pdf" (cd "%HOMEPATH%\\My Documents"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0035_000.jsccc245dddf89c293679e1dd27f7f7ed8fead0ee5568de39f4396d6f95ae968ba |
pdf-javascript-stream | PDF /JS object 35 at offset 0x10948 | 58 bytes |
stream_004_off0000487a.bin3434711f6f1f0188a5ccdc29876bf50388c158d7dcbb426e00add03cc0aefdef |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x487A | 38248 bytes |
stream_007_off00010745.bin1c3eb8f1586bf6091115bb86949d696cca6f2c564a3dfce5c191cf5844062af0 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10745 | 2048 bytes |
font_00_sfnt_off0000230f.bin8dd71f2ab5f9c84a493a3b894618bbc71ab7e5ef292226227a9a9853b4f0cddc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x230F | 19156 bytes |
font_02_sfnt_off0000a787.bin58d0863f7d84fda8553561d45fef2fdb0114ff487cde5224ca5d5b1fb09f2ff2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA787 | 26140 bytes |
font_03_sfnt_off0000e711.bin1b31c4237d3b0c1b0ee9d40c9b895e821d0160ee357a0c87e30bba9db72743ce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE711 | 11744 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.