Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ded90dfe91834b8…

MALICIOUS

PDF

7.5 KB Created: 2010-08-24 08:34:15 +08:00 Authoring application: Acrobat Web Capture 7.0
MD5: bb70a475aa0a393bb9f88d5a1cf83365 SHA-1: 529b4a8cc041b0d3ea512ec78e5747fc708881fa SHA-256: 4ded90dfe91834b86a5c9e08006a6968785cb410430089359172dc29830ab8fe
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218.005 System Binary Proxy Execution: Mshta

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating a launch action. This action targets 'mShTa.exe' with the parameter 'http://127.0.0.1/test.html 1 Click open to view the full info'. This strongly suggests the document is designed to exploit mshta.exe, a legitimate Windows binary, to download and execute content from the specified URL. The presence of 'mShTa.exe' and the URL are the highest priority IOCs.

Heuristics 6

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: mShTa.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters ' http://127.0.0.1/test.html 1 Click open to view the full info ' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • /Launch action targets mshta.exe (LOLBIN) critical PDF_LAUNCH_MSHTA
    PDF contains a /Launch action whose /F parameter names mshta — Microsoft's legacy HTML Application host, used as a LOLBIN to run inline JScript/VBScript from a /P parameter (typically a `javascript:` URL). MITRE ATT&CK T1218.005.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://127.0.0.1/test.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Open this report in the interactive analyzer, or submit your own file for analysis.