Malicious PDF — malware analysis report

Static analysis result for SHA-256 39c02307bd03129f…

MALICIOUS

PDF

270.1 KB Created: 2010-05-27 22:13:33 -04:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 26675bbd503f05fc767508ed56dac235 SHA-1: 3f3b11d14097a4adf89b10f98031229cd55eb4bf SHA-256: 39c02307bd03129f58c57f6372e89624beccacc5b8fa53d188c68e55f92069f6
466 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1140 Deobfuscate/Decode Files or Information

This PDF document exploits CVE-2010-1240 via a launch action targeting cmd.exe to execute a payload. The embedded executable payload and the heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggest the document is designed to trick the user into a financial scam. The embedded JavaScript and the PDF launch action indicate the primary goal is to download and execute a second-stage payload.

Heuristics 13

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\handbook.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.suntrust.com/retirementsolutions
    • http://www.discoverybenefits.com/
    • http://www.cignabehavioral.com/
    • http://www.cign.com/
    • http://www.teldrug.com/
    • http://www.mycigna.com/
    • http://www.lifebenefits.com/
    • http://www.netbenefits.fidelity.com/
    • http://www.unum.com/
    • http://www.eyemedvisioncare.com/
    • http://www.kaiserpermanente.org/
    • http://www.cigna.com/
    • http://www.CIGNA.com/
    • http://www.cigna.com/healthyrewards

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0274_000.js
ff55c3569615905a49995e011f58a5f14b9bcd78f90366bfed8a0a3717ddaa0c		 pdf-javascript-stream PDF /JS object 274 at offset 0x4341B 57 bytes
stream_043_off0003e530.bin
46654ef89d0a22bf10dc6d88ddb928f7352207a4d345cc1980ac5fb9b9e162c6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E530 37888 bytes
Detection
ClamAV: Win.Exploit.Countdown-1
Obfuscation or payload: unlikely
font_00_sfnt_off0001acc6.bin
1595e16a4f9a0296195e8dc1865868585c10d52861edb7be5bd8d7bb46db92b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ACC6 33568 bytes
font_01_sfnt_off0001f5e7.bin
34b0487b9d5db5448761716fd39edac50b029d9a55416c4f3c80a2767672c1b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F5E7 27004 bytes
font_02_sfnt_off0002290d.bin
daebbe6f5b3bb39df11cac5456a4dd34995b98a47d83eea0b3f52e995dd61225		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2290D 31960 bytes
font_03_sfnt_off00026c0c.bin
84c02ed1e82014a67a7bc68df43de9ea2cab3e3cffaf559b8eb8f98dc2c1ba23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26C0C 25516 bytes
font_04_sfnt_off00029adf.bin
4027f6d872dc004d25fac9306111c00201f60500e4898dfe0941d608ccc2a3e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29ADF 16476 bytes
font_05_sfnt_off0002ba18.bin
5d3b487106b60ccd273e9fbbc201f0d7bba5eba88fc208da91f96864df8478f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BA18 46720 bytes
font_06_sfnt_off00033197.bin
3a6f2930bb6cbd05763fa470b4e32e0c20dcc3efa4d1c4d37d1e60fd340f4b67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33197 21924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.