PDF malware analysis — malicious · 2dd45274ab3857f2

MALICIOUS

PDF

25.6 KB Created: 2007-07-06 01:56:41 +07:00 Authoring application: 376377000P000D000F000C000r000e000a000t000o000r000 000V000e000r000s000i000o000n000 0000000.0009000.0003 (via GPL Ghostscript 8.54)

MD5: ab62345af0919d5726e2ddcf54be46ab SHA-1: e90a420798e7f899f9ae2c05dd9aef6e692d346a SHA-256: 2dd45274ab3857f29645c1767c57fabfd83178cc89a912b2097d1d8b5537fb22

374 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript that utilizes a launch action to execute cmd.exe. This command is designed to download and save a file named 'julia.pdf' to the user's desktop, indicating a downloader or dropper functionality. The critical heuristic CVE_2010_1240 further confirms the exploitability of the launch action for command execution.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 10

Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240

PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\julia.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS

PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`julia.pdf` `397da393b4271923320fa93cdd5be58a8b468af4198c78ecc68c174f33654b78`	pdf-embedded-file	PDF EmbeddedFile object 26 at offset 0x60FE	540 bytes
`javascript_obj0027_000.js` `63721ad9bd27196bfd5db95cf101c80e3cca14d7ecf8295a848d30dc2fcb1689`	pdf-javascript-stream	PDF /JS object 27 at offset 0x626C	54 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.