Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ddda4e9abd6df77…

MALICIOUS

PDF

597.0 KB Created: 2009-04-07 11:32:57 -04:00 Authoring application: LaTeX with hyperref package (via pdfTeX-1.40.3)
MD5: e892ec8d8daea5f65c629fbaa490c6e0 SHA-1: b054439b96f000e6f9b8cd5a1a2a4fa20c4ae49d SHA-256: 4ddda4e9abd6df77c8e350c689c09e67473ba0476a953b758bd776a2f6cf6548
366 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious Link T1059.003 Command and Scripting Interpreter: Windows Command Shell

This PDF file contains embedded JavaScript and a PE payload, indicating malicious intent. The 'SE_CLICKFIX' heuristic suggests a social engineering attack where the user is prompted to execute a command, specifically targeting 'cmd.exe'. The embedded PE payload was detected by ClamAV as 'Win.Trojan.ShellcodeReverseTcp-1', and the PDF itself was identified as 'Pdf.Tool.Agent-1388586'. The document body contains what appear to be accessibility-related keywords, possibly as a lure or to blend in with legitimate content.

Heuristics 10

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\gnome-access-guide.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj3401_000.js
0873ba271bf4c5b02fa109cb4dc10c00ca519aa0dcd5292fcd43d06b79d1add2		 pdf-javascript-stream PDF /JS object 3401 at offset 0x94A26 67 bytes
stream_086_off00062ee9.bin
9143d5c6371d54f01c98864c692cc15bf25a5bb4eae54031307b5213ae9e4711		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x62EE9 21739 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
stream_088_off0008fd4a.bin
047b713b434b197afac01e2d7137fe016ecd55bf6a55b1e0fa963bbd9e58397b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8FD4A 37888 bytes
Detection
ClamAV: Win.Trojan.ShellcodeReverseTcp-1
Obfuscation or payload: unlikely
font_00_type1_off0004dd3c.bin
11cbe6479868509e3493465689d5d5d6fae7d2dbc71fb8aaeb21d737e47c923f		 pdf-font-stream PDF embedded font (type1) at offset 0x4DD3C 14228 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
font_01_type1_off0005139f.bin
c2d952cc9773db5bfedb254540728d961707cde6ff51c8520eaaef65d278fa46		 pdf-font-stream PDF embedded font (type1) at offset 0x5139F 16469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_02_type1_off00055319.bin
ec42cf910fa8626b316ad94e8f1be5085504186df09b6027bf9f78fca1436430		 pdf-font-stream PDF embedded font (type1) at offset 0x55319 4848 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.53, consistent with packed or encrypted content.
font_03_type1_off00056438.bin
a2647632d9bad114531ee14d15c16c22f1b97ccbe9da99f242bdadcb53329ffc		 pdf-font-stream PDF embedded font (type1) at offset 0x56438 13489 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
font_04_type1_off00059827.bin
ce1ecf9505ca71de45fc67b184dae00bd3cd7adb5241ab44376c7ed945c9b05f		 pdf-font-stream PDF embedded font (type1) at offset 0x59827 11354 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.94, consistent with packed or encrypted content.
font_05_type1_off0005c570.bin
ce284a281d79ee67dce0356b280f064e330ab98e032d18832d7f96cdc904e5f3		 pdf-font-stream PDF embedded font (type1) at offset 0x5C570 10500 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_06_type1_off0005eef9.bin
3fef4d2c8c36588a0e94ac5b595f561bc6ad908cb306215ef84b3bdc59c06681		 pdf-font-stream PDF embedded font (type1) at offset 0x5EEF9 16594 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.94, consistent with packed or encrypted content.
font_08_type1_off000683a3.bin
667a01adc63a599eb7df3d8d991f20a5a5b9ee97ccde4ef4add88c2122dc7332		 pdf-font-stream PDF embedded font (type1) at offset 0x683A3 15784 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.