Malicious PDF — malware analysis report

Static analysis result for SHA-256 516692ef47b584e6…

MALICIOUS

PDF

312.2 KB Created: 2010-02-10 15:34:59 +01:00 Authoring application: Writer (via OpenOffice.org 3.1)
MD5: 223d525e1cdbf7ab4dede5fa4807404c SHA-1: f77c03d6f12f751980ffac2c26407f16f8a24496 SHA-256: 516692ef47b584e62c27cf2917a7692386edfb5f8e7be6202c016e6ef39288f5
426 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file contains embedded JavaScript and a launch action that executes cmd.exe. The command line parameters indicate it attempts to download and execute a secondary payload from the URL http://www.scrt.ch/pages/fireforce/fireforce.xpi. The embedded executable payload was detected by ClamAV as Win.Trojan.Rozena-131, and the PDF itself was flagged as Pdf.Tool.Agent-1388586, confirming its malicious nature.

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\fireforce_en_manual.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.scrt.ch/pages/fireforce/fireforce.xpi
    • https://addons.mozilla.org/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0118_000.js
b3ab59ef0991703642c254951e7abe08e89d16ec0cabbcd0e5e15fcb035348da		 pdf-javascript-stream PDF /JS object 118 at offset 0x4DCE3 68 bytes
stream_015_off00021f16.bin
ff027821eb6007ec65a781497bd42ff1224c6e86627a835a21918243177fa016		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21F16 141456 bytes
stream_033_off00048ef8.bin
0ba260bd6ffed6e2464c286bcb8ba271cb266f072b883a0990791b2b5c10b277		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48EF8 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
font_00_sfnt_off00039ab2.bin
f9a91f613dbb4d56f9ed40f918f570a675d183aaca071d9f4ec8be374dd410e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39AB2 23660 bytes
font_01_sfnt_off0003d8a0.bin
91f45c017129d958d1920306f07fa9749d3785d1d4ed389596a3aaf1b2a86cab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D8A0 1752 bytes
font_02_sfnt_off0003dec0.bin
70d40c52e0c77968d814d172f3a7e706a3494fc9453731f532a5a2480b2f19d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DEC0 25728 bytes
font_03_sfnt_off0004228f.bin
8928f8132c0d25b8b12de8688704e4e0a2b2493dbf4979b8e35a8310410430b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4228F 25360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.