Malicious PDF — malware analysis report

Static analysis result for SHA-256 46b9dee6ebf616df…

MALICIOUS

PDF

231.8 KB Created: 2009-10-26 13:04:45 -05:00 Authoring application: LaTeX with hyperref package (via pdfTeX-1.40.3)
MD5: 7a7b41db7e48dfe2f0ea481c1467bdbb SHA-1: b074f930b4b623587776837fdefecee55b9a5603 SHA-256: 46b9dee6ebf616dfd3897a02307b01519a67c402acfdd21a1d9f832a56df7d77
588 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file exploits CVE-2010-1240 by using a launch action to execute cmd.exe. The command execution is paired with an embedded JavaScript dropper that exports a data object, which is identified as a Windows executable payload. This payload was detected by ClamAV as Win.Trojan.Swrort-5710536-0. The PDF itself is also detected as Pdf.Tool.Agent-1388586. The embedded executable is masquerading as 'users_guide.pdf'. The IP literal http://127.0.0.1:55555/ is also suspicious.

Heuristics 17

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\users_guide.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://127.0.0.1:55555/
    • http://www.uninformed.org/?v=1&a=3&t=pdf
    • http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
    • http://www.metasploit.com/
    • https://bugs.launchpad.net/bugs/282302
    • http://metasploit.com/framework/download/
    • http://metasploit.com/framework/support
    • http://subversion.tigris.org/faq.html#proxy
    • http://www.metasploit.com/documents/meterpreter.pdf
    • http://spool.metasploit.com/
    • http://marc.info/?l=bugtraq&m=104612710031920&q=p3

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
users_guide.pdf
9e82179aed35cceeaa14ddb89988717afe281bd879472ffd052123760330a0e0		 pdf-embedded-file PDF EmbeddedFile object 477 at offset 0x2ED04 73802 bytes
Detection
ClamAV: Win.Trojan.Swrort-5710536-0
Obfuscation or payload: unlikely
javascript_obj0478_000.js
a8e0025aba07b8e30a4ff8ec082b173c5f1987520ae4a404f054aa61dd32dea2		 pdf-javascript-stream PDF /JS object 478 at offset 0x39A5B 60 bytes
stream_027_off00013093.bin
98b4c9d62a1d55ba5c43f20cc3acac57ab4a47bd28f69efcb1500d7796b3fe92		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13093 9832 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_00_type1_off0001568a.bin
60b30b84dd9c5c5252d45e27e7a7e249447bef3e349a4f842aba359909dc48f1		 pdf-font-stream PDF embedded font (type1) at offset 0x1568A 10861 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_01_type1_off00018036.bin
e6fc6804f3f03b066f2f270a2931efc6f494bfff84a593cbf588bffc17e520b3		 pdf-font-stream PDF embedded font (type1) at offset 0x18036 17591 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_02_type1_off0001c3c6.bin
5d2b51b74060f9561f0131a8e74384197374bf191b9eb35bf4b4a8d04bfadd02		 pdf-font-stream PDF embedded font (type1) at offset 0x1C3C6 3288 bytes
font_03_type1_off0001d0e9.bin
29285ea75d9663dd2bf6af3bd3bae40e82ea4851ef9bb55cd917eeff15aea4b5		 pdf-font-stream PDF embedded font (type1) at offset 0x1D0E9 4794 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.77, consistent with packed or encrypted content.
font_04_type1_off0001e3b0.bin
4b2e74a3d572b425d807f80f59917fc7b2a4bd9fdaddbd487b3520ff1f0f4017		 pdf-font-stream PDF embedded font (type1) at offset 0x1E3B0 1963 bytes
font_05_type1_off0001ebd7.bin
dbab26b9e9d89bbb0d00262461da26e552a1b1ed12e88fede3e572aad218c190		 pdf-font-stream PDF embedded font (type1) at offset 0x1EBD7 1954 bytes
font_06_type1_off0001f3f5.bin
40fbf7968458fa48582d153167dc0d0eb407bc388a98296d8e8212b51bab7ee7		 pdf-font-stream PDF embedded font (type1) at offset 0x1F3F5 6518 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.82, consistent with packed or encrypted content.
font_07_type1_off00020d3e.bin
b49c2c086e9c589c6242d405a570a07fdba211181af8821afdbe9eeefd427c13		 pdf-font-stream PDF embedded font (type1) at offset 0x20D3E 1326 bytes
font_08_type1_off000212d9.bin
c01f655b28cb429b1871e22dd89fa78fd8202b582539c7324a543c408d8df743		 pdf-font-stream PDF embedded font (type1) at offset 0x212D9 3910 bytes
font_09_type1_off00022273.bin
e59fa527cc81f200139dc3e59f50f0f216df954cdbbd7122cd28b13374a43178		 pdf-font-stream PDF embedded font (type1) at offset 0x22273 14877 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_10_type1_off00025ba6.bin
c966544533a4b24b4a363a64cbca036c550b152652663100f2bcc226b37d6be3		 pdf-font-stream PDF embedded font (type1) at offset 0x25BA6 12677 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_11_type1_off00028c51.bin
2a515d3352f53ccc7dccfa2dd9f82c79ce31cc7ade17182ab62d3a69a8bd8da7		 pdf-font-stream PDF embedded font (type1) at offset 0x28C51 3814 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.