Malicious PDF — malware analysis report

Static analysis result for SHA-256 42dcd35e0d641973…

MALICIOUS

PDF

721.8 KB Created: 2009-08-06 16:58:58 -04:00 Authoring application: Adobe InDesign CS4 (6.0.3) (via Adobe PDF Library 9.0)
MD5: d5121452492643679a4f9bf7f75a9421 SHA-1: a1c6ac97f8c3f915b848b767e973dc67b640c092 SHA-256: 42dcd35e0d641973b81f6f0407cd9d12e225c36b4246cfe8fd10d60523fa1526
514 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.001 Malicious Link

This PDF file contains embedded JavaScript that utilizes a launch action to execute cmd.exe. The critical heuristic 'CVE_2010_1240' indicates exploitation of a vulnerability allowing command execution. Furthermore, an embedded executable payload is detected, masquerading as a PDF file named 'worldpop.pdf'. This suggests the PDF acts as a dropper for a secondary malicious executable, likely downloaded from an external source, aligning with the 'Pdf.Dropper.Agent-7254912-0' ClamAV detection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9852

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\worldpop.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Dropper.Agent-7254912-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7254912-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.InsiderSoftware.com/fontlist/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xmp/InDesign/private
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.prb.org

Extracted artifacts 28

Files carved from inside the sample during analysis.

FilenameKindSourceSize
worldpop.pdf
ee52ff38f3b088ff36b9d2eb22f5545ed3c20536c00ca98afd78e164a03f437e		 pdf-embedded-file PDF EmbeddedFile object 326 at offset 0xA955E 73802 bytes
Detection
ClamAV: Win.Trojan.MSShellcode-7
Obfuscation or payload: unlikely
javascript_obj0327_000.js
ed9755b74f13014534e12d2bf0f299462258f03b4dfa2b044d178a9a964ca271		 pdf-javascript-stream PDF /JS object 327 at offset 0xB412E 57 bytes
stream_074_off000739e0.bin
d15e1da9013179495f38155ebf0d58737f14b28321859cd7343defb7b0985a86		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x739E0 3134 bytes
stream_077_off00074a29.bin
8eb097bdbdbd3cc2997ea854c4504067e1654e1dfd97f750cd57e8b26f9b51a6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x74A29 3028 bytes
stream_132_off0008d44b.bin
20e915aa02cbae9d8969890b279060a42c9bf5371af77978ceee22b17610b0c8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8D44B 5478 bytes
font_00_cff_off000034b3.bin
40df8f8de5370506413a5e6e70b8679965b69617fec21fa42f616d6a524112bb		 pdf-font-stream PDF embedded font (cff) at offset 0x34B3 3857 bytes
font_01_cff_off0000417d.bin
185d60c1071013fdd912539728f5c474fd41860cda94bff6a9726db5141128c8		 pdf-font-stream PDF embedded font (cff) at offset 0x417D 1525 bytes
font_02_cff_off000046e2.bin
dd3eabf35202e597e915293b7517d96ea8e8f25aa6c1233af1b9c82d1c8b6e8c		 pdf-font-stream PDF embedded font (cff) at offset 0x46E2 5476 bytes
font_03_cff_off00005910.bin
641d4db28e7fb8a1bce592315dcb5fa7f88990e5a7da7db243ca62e92dcbcf5d		 pdf-font-stream PDF embedded font (cff) at offset 0x5910 3256 bytes
font_04_cff_off000064aa.bin
6d7e60bc4a4cbfeba3cb5e2ae691beed26563edc0b8e95516a0e526025bfa70a		 pdf-font-stream PDF embedded font (cff) at offset 0x64AA 4164 bytes
font_05_cff_off000072c6.bin
6a1f19e199d99b32f52c3539964be48833484bf30eba8c44cf4e9855f2dcd9ef		 pdf-font-stream PDF embedded font (cff) at offset 0x72C6 2519 bytes
font_06_cff_off00034520.bin
22489bea152d80b3190c24356d760d6ef09f6453e11711b954d019b007bbd921		 pdf-font-stream PDF embedded font (cff) at offset 0x34520 1267 bytes
font_07_cff_off00048556.bin
8dcf17619a89715af1c2720982979449375f4320a389724d57511a81a2f1d577		 pdf-font-stream PDF embedded font (cff) at offset 0x48556 948 bytes
font_08_cff_off000712db.bin
ed3456c0145cd2d40215edbf2d980901f59ee2cc53d1f49ed0e0b0b403d6f59c		 pdf-font-stream PDF embedded font (cff) at offset 0x712DB 642 bytes
font_11_cff_off0007daf2.bin
d7e3860fa68975e66d8c8205577ac61e460e64f6c02bc547b0cd0ac7aa9709a5		 pdf-font-stream PDF embedded font (cff) at offset 0x7DAF2 1445 bytes
font_12_cff_off0007e44f.bin
25551598d05086651bdb41a8d445339ed0d09897168c3f23d27c8521fa237ec6		 pdf-font-stream PDF embedded font (cff) at offset 0x7E44F 4504 bytes
font_13_cff_off0007fee9.bin
fc914ebfcf1609048b5227a91740dd1db92deac51bb3e9a5060590c711a74b7e		 pdf-font-stream PDF embedded font (cff) at offset 0x7FEE9 4858 bytes
font_14_cff_off000811fd.bin
08b4fecbb01bf07ef0b9ea6cff3e17ba6f625da633db08d4dc95ed82ec60935b		 pdf-font-stream PDF embedded font (cff) at offset 0x811FD 3518 bytes
font_15_cff_off000823ec.bin
9fb9348c6a1a88b21fe7859e045459407e653bc4ca101d1340a98cc84fdf2161		 pdf-font-stream PDF embedded font (cff) at offset 0x823EC 1452 bytes
font_16_cff_off00082dcf.bin
3d5459d2cc67eeca3d822cfd344fd44b087f383d51e5c9b6bc1839d4471fdcf8		 pdf-font-stream PDF embedded font (cff) at offset 0x82DCF 3437 bytes
font_17_cff_off00083f31.bin
6ee18ff8d449710a584ecb994f9f37919060ac78da118a471e1ebfeedf278901		 pdf-font-stream PDF embedded font (cff) at offset 0x83F31 870 bytes
font_18_cff_off00084571.bin
05c0336241c0ad49c648be1cddacc1d5865a9275ba617b90b5496fe35f38e4a6		 pdf-font-stream PDF embedded font (cff) at offset 0x84571 3809 bytes
font_19_cff_off00085858.bin
886b9f980770b36b2f0c29366de05ddf05a32939b478f2648f3cf4b6084c59f3		 pdf-font-stream PDF embedded font (cff) at offset 0x85858 3716 bytes
font_20_cff_off00087895.bin
f1585bcd461dfbb5b95e7f7145369d555de1289e14f0ae1bd2f3076f4a98b33d		 pdf-font-stream PDF embedded font (cff) at offset 0x87895 1217 bytes
font_21_cff_off000884e1.bin
735355f093cc539e4749df7cbe55e5d0202288c3aec373295a0c7408a7cb5fb4		 pdf-font-stream PDF embedded font (cff) at offset 0x884E1 4952 bytes
font_22_cff_off00089a68.bin
bc0ce457dcdf153851b7a2b6a1c31ec8faefab5ee8dd253d2480be7c67381ece		 pdf-font-stream PDF embedded font (cff) at offset 0x89A68 1509 bytes
font_23_cff_off0008acd3.bin
a53353352f93e99852ff385ed99ca9a9cb3e05c586d497f59e30a05fcd87e1c3		 pdf-font-stream PDF embedded font (cff) at offset 0x8ACD3 1218 bytes
font_24_cff_off0008c61a.bin
5fc40de76e136cb737a912277f2ceb4bcef038b924e1db94a30d8132414f95a6		 pdf-font-stream PDF embedded font (cff) at offset 0x8C61A 1045 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.