Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f9cd7c167f24315…

MALICIOUS

PDF

216.9 KB Created: 2009-09-26 07:34:11 +02:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 5b8d0cf27afce890fd0dfae4e7e4839f SHA-1: 6d3a594db73c1b62c63cc4fac281ab9591a616b3 SHA-256: 4f9cd7c167f24315b4d33f22048685157d356b68af204606a2b04f076d68bb7a
424 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that triggers a launch action, exploiting CVE-2010-1240 to execute a Windows executable payload named 'cMd.ExE'. This executable is disguised as 'ADMPlugin.apl' within the PDF. The combination of PDF launch actions, embedded JavaScript, and an embedded PE payload strongly indicates a malicious intent to deliver and execute malware.

Heuristics 10

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cMd.ExE critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\\����\\ADMPlugin.apl" (cd/D "%USERPROFILE%\\����"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ADMPlugin.apl
c4fd9a56e98db7642397c747b99868e0056c40ee5a445a6e819900537db5d7d6		 pdf-embedded-file PDF EmbeddedFile object 109 at offset 0x35BFD 38400 bytes
javascript_obj0110_000.js
4e8f9ed5cd2b3deb670d441535eac258a2d0e54f0c2cb57b70166520eb5b6d48		 pdf-javascript-stream PDF /JS object 110 at offset 0x35DEF 60 bytes
font_00_sfnt_off00018873.bin
f027842567b04c926ad746e8dfdc4f8cdd2e3c7e0220264a22bb516569de8c36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18873 39760 bytes
font_01_sfnt_off0001e18a.bin
da753cc0b5163c9b6666572dbeb35b7b5caf4a56d9c22c99c36835925c000a71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E18A 33672 bytes
font_02_sfnt_off00023149.bin
23ac8feb518c8c727acc6a954bb623e333337c9458521aed483fcc8d89f418c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23149 12752 bytes
font_03_sfnt_off0002558e.bin
c8fd7189737c38a43b9ba034337799f502028b5db5a6037bd1df4c486f3233e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2558E 13136 bytes
font_04_sfnt_off00027bf4.bin
cf699c117fd0bb7368c625645b874f03c477a382b67075e98dd54d87de53958b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27BF4 27096 bytes
font_05_sfnt_off0002ca67.bin
34829650519fe758a893e02057f5c7c1070378add027225386180ba60993be24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CA67 13700 bytes
font_06_sfnt_off0002f2cf.bin
bf36ecd37d117b665b1c68abb1c41fbb1a9d46c2c583bdb8512681835e553b91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F2CF 14892 bytes
font_07_sfnt_off00031db2.bin
37478039963094b7b89fb24df19adb1f5ee171f766ade680ac5516bb23ede59f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31DB2 13576 bytes
font_08_sfnt_off00033c21.bin
df903f2017d43426972294ce96b065da76255f4a0de84e466c7a4dd6181632c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33C21 1780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.