MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The PDF file contains embedded JavaScript and a critical PDF_LAUNCH heuristic firing indicating an attempt to execute cmd.exe. This is further supported by the CVE_2010_1240 heuristic, which specifically targets this type of exploit. The embedded PE payload suggests the primary purpose is to download and execute a secondary malicious binary. The ClamAV detection also confirms its malicious nature.
Heuristics 10
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\test.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 17
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0206_000.jsb1a09f919e0f5d1c1d284849c9af93bae6fd1411634dfdc491e126f9cd327f3f |
pdf-javascript-stream | PDF /JS object 206 at offset 0x23BCE6 | 53 bytes |
stream_055_off00236f40.bin35a5003eb15340a9d122a115ca38ee184fdecadce23a0e017e2ae114a1973b81 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x236F40 | 37888 bytes |
icc_00_off001ff7a7.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x1FF7A7 | 3144 bytes |
font_00_cff_off00071636.bine40318f4699d4d1d3ca6dd8e45396a94cc2ad81c6d122f2c89c8a3666401dfc4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x71636 | 1731 bytes |
font_01_cff_off001d095d.bindaf3f69a6fc659bfbc8b6d1436e81c590b1945229c79a0c85f036f00dae3a962 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D095D | 1764 bytes |
font_02_cff_off001d8f97.bin60b5b8b4c521a6105d213b88717df63b54ebc327391a3ac4fd764b5093ed1c21 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D8F97 | 7726 bytes |
font_03_cff_off001da98b.bin664170f7b103eeb9f154d7c0a96f16b7215126a176e20c6d6e10a8d592f7ab01 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DA98B | 6136 bytes |
font_04_cff_off001dc79e.binc2037762b45d22683a143c2c62342558c62927569fdbf7c0eef814a8853f86bc |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DC79E | 1065 bytes |
font_05_cff_off001dcd2e.bin88243a8fa45261e4c3acb9d7dd36662f9e6956663cf3e2131006d8c4c6fdfcd7 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DCD2E | 1081 bytes |
font_06_cff_off001dd69c.bin4a6de1e3e2cd3a2bc54936b3a2e97c1605427861089ef47de74301dd6f39f4bf |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DD69C | 5292 bytes |
font_07_cff_off001de863.bin00941be45440c2e2b874328cd364d0dc742144eef0c1244e56b33a47602d88a9 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DE863 | 1107 bytes |
font_08_cff_off0020020b.bin806e0c55f6027a11d5765f68d3e4764f3da12e51097602c9d5ef9b79b7236e83 |
pdf-font-stream | PDF embedded font (cff) at offset 0x20020B | 7441 bytes |
font_09_cff_off0020189a.bin5b0e640a85e2c975085a716b342fa81a307bfa44b8de4e7d9e2b050ac9e33b94 |
pdf-font-stream | PDF embedded font (cff) at offset 0x20189A | 8250 bytes |
font_10_cff_off0020313b.bin29ee55c150fe1d4bb82bab388e3bef7a17f2ef3461ff40febc9ceee2bc193844 |
pdf-font-stream | PDF embedded font (cff) at offset 0x20313B | 4499 bytes |
font_11_cff_off00218d96.bin1b222b87d9b9caa729efe201f10a182f07dfd980c7f5a4eb5211bed6379f966c |
pdf-font-stream | PDF embedded font (cff) at offset 0x218D96 | 651 bytes |
font_12_cff_off0021cba7.bin6afb44f439ce3368816bde18ad2b822d4d3e10e93bd84878dc9bb1c59d288454 |
pdf-font-stream | PDF embedded font (cff) at offset 0x21CBA7 | 2647 bytes |
font_13_cff_off00220173.bin5808066277124b1b5f0e70f004541a543206f050d40dc1dd158a65aef93cfe0a |
pdf-font-stream | PDF embedded font (cff) at offset 0x220173 | 4506 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.