Malicious PDF — malware analysis report

Static analysis result for SHA-256 374080a4dbefd145…

MALICIOUS

PDF

174.1 KB Created: 2009-09-21 16:15:52 +01:00 Authoring application: Acrobat PDFMaker 8.0 for Word (via Acrobat Distiller 8.0.0 (Windows))
MD5: 2e182d13fe9f4ecf9abfcdb143dddf8c SHA-1: df2e72fcf7aa40716abe20060599b38a62fe016c SHA-256: 374080a4dbefd1456ebb2e43a018f2d806fb919cca68f281a6054c508e1a055d
386 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF document contains a critical PDF_LAUNCH heuristic firing, indicating it attempts to execute a command-line payload. Specifically, it targets cmd.exe with parameters that suggest it will download and execute a second-stage payload from an embedded stream. The PDF_EMBEDDED_PE_PAYLOAD heuristic confirms the presence of a Windows executable within the PDF. The SE_CALLBACK_LURE heuristic suggests a social engineering pretext, possibly a scam, to trick the user into triggering the exploit.

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\e_redundancy.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adviceguide.org.uk/)/S/URI
    • http://www.citizensadvice.org.uk/cabdir.ihtml)/S/URI
    • http://www.citizensadvice.org.uk/)/S/URI
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0247_000.js
763010a2a11e9182fde6f503a8ef111feaf2c51648a5b8d297d4f46f1b034096		 pdf-javascript-stream PDF /JS object 247 at offset 0x2B23C 61 bytes
stream_018_off0000bed0.bin
eaa6465d54b1be804f940166518bbf0713ee5f105b8865a3e685ae8399d3d048		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBED0 743362 bytes
icc_00_off00002896.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2896 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.