Malicious PDF — malware analysis report

Static analysis result for SHA-256 369d8258ee9a6373…

MALICIOUS

PDF

601.9 KB Created: 2007-10-24 16:40:30 +08:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))
MD5: edb5882374a99589b121d8da9bf3f9bd SHA-1: 5908274a719a5d0fea6650bb9ddd559c4c343962 SHA-256: 369d8258ee9a6373ff2cca879a119fa8da9634d6dd85f25ed0311483c211bc4f
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1204 User Execution

The PDF file contains embedded JavaScript that leverages a vulnerability (CVE-2007-5020) in Adobe Reader to execute commands. Specifically, it uses a mailto URI to launch `mshta` with JavaScript, which acts as a downloader for a second-stage payload. The embedded script is identified as a WScript downloader, and the ML classifier strongly indicates maliciousness. The document body appears to be malformed or truncated, providing no direct lure, but the technical indicators are clear.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 12

  • Adobe Reader mailto URI command execution — CVE-2007-5020 critical CVE likely CVE_2007_5020_MAILTO_MSHTA
    PDF contains a crafted mailto URI that uses path traversal to reach mshta and execute inline script through WScript.Shell. This is the legacy Adobe Reader/Acrobat mailto command execution pattern associated with CVE-2007-5020.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND
    PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • External URI low PDF_URI
    PDF contains an external URL action
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js
736c69993d4cd953676f5971bd943955c344f3001c77f281afd5d8df5a456b51		 pdf-javascript-stream PDF /JS object 26 at offset 0x52F0A 1379 bytes
embedded_pdf_script_00003ca4.bin
7c52625e8c14d2b3973f7e887df6b0ce686a24b85813521ea9e0ac37afa27835		 pdf-embedded-script PDF raw stream script payload at offset 0x3CA4 332401 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 47 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.