PDF malware analysis — malicious · 214da59d1218f84c

MALICIOUS

PDF

81.7 KB Created: 2009-09-21 23:01:37 Authoring application: PScript5.dll Version 5.2.2 (via AFPL Ghostscript 8.53)

MD5: 822635b834368f0445af5a51aee96e8d SHA-1: 41198f4da7ecb30c2926fc4b0a6f446031eb2a3e SHA-256: 214da59d1218f84c1116b50ed77bbcec0b7a2c2c9076d94b7edc79127e67c34f

484 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains a launch action that executes cmd.exe, which is designed to download and execute an embedded Windows executable payload. This payload is disguised as a PDF file named 'Relatorio6SL.pdf' but is detected by ClamAV as Win.Trojan.Rozena-131. The exploit targets CVE-2010-1240, a known vulnerability in Adobe Reader for command execution.

Heuristics 11

Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240

PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Relatorio6SL.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH

An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS

PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 13

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`Relatorio6SL.pdf` `6d5b5cdfb0df4ae8e8c5be33b1f0d89f0324484a846d2c279d45f8d2912eb3d7`	pdf-embedded-file	PDF EmbeddedFile object 62 at offset 0xF5E4	37888 bytes
Detection ClamAV: Win.Trojan.Rozena-131 Obfuscation or payload: unlikely
`javascript_obj0063_000.js` `9b21c1a4c921434cda183a1522abb212adb47f2900ab96689135968ad60f5f1c`	pdf-javascript-stream	PDF /JS object 63 at offset 0x142D6	61 bytes
`font_00_cff_off000046e2.bin` `8244bf89b3a0fd12167df941c8ab6bd1f491c1f8b41a4b592aa185ba79029d67`	pdf-font-stream	PDF embedded font (cff) at offset 0x46E2	4269 bytes
`font_01_cff_off000054df.bin` `78930c4d0c7c7dd7bb50a6b4b5fae43ce80feebe863eafd044ca08039d50f7aa`	pdf-font-stream	PDF embedded font (cff) at offset 0x54DF	1012 bytes
`font_02_cff_off00005a54.bin` `22e0f8d2645a5d2c89da70c12a5059861ff0db04dd579bcf69479893ecb033eb`	pdf-font-stream	PDF embedded font (cff) at offset 0x5A54	7788 bytes
`font_03_cff_off0000742b.bin` `171a9f35ce669ea33ebe0747e1fd681fec88f3903ce7152a361f12088a80e9ee`	pdf-font-stream	PDF embedded font (cff) at offset 0x742B	5631 bytes
`font_04_sfnt_off000083ec.bin` `0c42bfe7730aeccee5032b67039bea1b6a3de19257409d70be30ee787810cb2e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x83EC	4928 bytes
`font_05_sfnt_off00008d7b.bin` `7bedb919a8ea6d38c52bf1540b0f4a66d4b0304f62c0e169a139c105c0aaea93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8D7B	5604 bytes
`font_06_cff_off00009941.bin` `5e10c4a190cb29bcd9e9f3b5bf218cabd423f2ff1eb66c804937956666fc0bb0`	pdf-font-stream	PDF embedded font (cff) at offset 0x9941	1528 bytes
`font_07_cff_off0000a092.bin` `39d58b8db81e0579aed422b714b1a6a2ccb59daadd14bc855983d02534f1c64d`	pdf-font-stream	PDF embedded font (cff) at offset 0xA092	5808 bytes
`font_08_cff_off0000b155.bin` `78922bd9c47c090f1dcaaa4dca0cdb9effeb7cde6a0d0d3f4859ff587bb3aeb1`	pdf-font-stream	PDF embedded font (cff) at offset 0xB155	3514 bytes
`font_09_sfnt_off0000be98.bin` `b0c37bac8b558f9bd6146992bf1b9b1c7d2a267355fece674761d2228c8c2349`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBE98	6812 bytes
`font_10_sfnt_off0000cf08.bin` `0bb706ccf7363871df204b9d49cef95e3362665b2491b0731dd48d111c8fa695`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCF08	13164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.