MALICIOUS
394
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
This PDF file contains embedded JavaScript and a PE payload, indicating malicious intent. The critical PDF_LAUNCH and PDF_LAUNCH_COMMAND heuristics, along with the CVE-2010_1240 detection, confirm that the file attempts to execute cmd.exe with specific parameters. This is further supported by ClamAV detections on both the PDF and the extracted artifact, suggesting it acts as a dropper for further malicious activity.
Heuristics 12
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\06086325.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://doi.acm.org/10.1145/332051.332079
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0086_000.js19e3fb33409050f42963b4d253d30193d427409f3fc570d48c58481d7e5be997 |
pdf-javascript-stream | PDF /JS object 86 at offset 0x21092 | 57 bytes |
stream_018_off00013024.js2d7f1f29ed81490929b4cff075d9aaee86e95d16c1123ba2a37d27e0b893159f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x13024 | 11059 bytes |
stream_028_off000182f5.bin09f728520e1e534673d0ef7e707b54ee6c057d6d3ec87f6b0474d80d6aa68ffb |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x182F5 | 79111 bytes |
|
Detection
ClamAV:
Win.Trojan.MSShellcode-6360730-0
Obfuscation or payload:
unlikely
|
|||
font_00_cff_off00000fc8.bin3ba103feaa935389e9aca5004b7e409adf3890c6f0d979c0f45ce15a72ecd5e9 |
pdf-font-stream | PDF embedded font (cff) at offset 0xFC8 | 1546 bytes |
font_01_cff_off000019a9.bine383026abea5d6076a22fdff61bb21c3df08710d86913079e493937f98714956 |
pdf-font-stream | PDF embedded font (cff) at offset 0x19A9 | 1141 bytes |
font_02_cff_off00002e3e.bin6180a385fc3d52804cc8d990b690c6fedee8256227992750be7862bcc2d83a29 |
pdf-font-stream | PDF embedded font (cff) at offset 0x2E3E | 4759 bytes |
font_03_cff_off000043ac.bin7ff142b5ac07f86345b3afd2a09e84e6e92270a7ec2b2dc1a3fcd43a7b60c301 |
pdf-font-stream | PDF embedded font (cff) at offset 0x43AC | 12303 bytes |
font_04_cff_off000071a8.bincc651472fd6fe2a236670c3084c23589f9294520e5aaa98b4654b900f1f273a1 |
pdf-font-stream | PDF embedded font (cff) at offset 0x71A8 | 8270 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
|
|||
font_05_cff_off0000940e.bind82eb45d01988b1c1a5e743696cdaf4ae1fc7cc47a7b3abc240e01493db8eb6e |
pdf-font-stream | PDF embedded font (cff) at offset 0x940E | 5684 bytes |
font_06_cff_off0000ad2c.bin5be998d7f9990a8a292369fdd6a218bb1a42f8a34395579c3ecd413dcefb5dde |
pdf-font-stream | PDF embedded font (cff) at offset 0xAD2C | 3666 bytes |
font_07_cff_off0000bf26.binbef2db66189d82167ff20c19446cd1965b6e682eb11de527cf35d01344cdd796 |
pdf-font-stream | PDF embedded font (cff) at offset 0xBF26 | 2367 bytes |
font_08_cff_off00012d87.bin9ac8be8556bfc64f26722e2077c4131556614ac62d9f1c04a3322a7be81e7e2d |
pdf-font-stream | PDF embedded font (cff) at offset 0x12D87 | 299 bytes |
font_09_cff_off000146bd.bin7274e992ddbbb85cb9eac08c003b61cf8ae49b18b67054823f58703b49640458 |
pdf-font-stream | PDF embedded font (cff) at offset 0x146BD | 3084 bytes |
font_10_cff_off0001567c.bina899af8eab89b8d8343f2b59c6b1e76b614d05a169c043012baa64c004bf5dd9 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1567C | 3615 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.