PDF malware analysis — malicious · 5761e303d7bc027d

MALICIOUS

PDF

432.5 KB Created: 2008-12-08 15:37:02 +01:00 Authoring application: Acrobat PDFMaker 8.0 for Word (via Acrobat Distiller 8.0.0 (Windows))

MD5: 8b3a3c4386e4d59c6665762f53e6ec8e SHA-1: bee7d9e7e9b7e5f1ec8f15e67943f10616460cbb SHA-256: 5761e303d7bc027df47b5b01a3e4e8e186eb36d3a4f40956768231ef3bbcac46

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute an external program. Specifically, it targets 'cmd.exe' with parameters that suggest the creation and execution of a Visual Basic script. This script is likely designed to download and execute a second-stage payload, as indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. The reconstructed command line provides a direct IOC for the initial execution attempt.

Heuristics 5

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000c7aa.bin` `3a1842780cfdd399c0e012acd770f7ae2f07655a3295c12f21bf4efd1f2cb176`	pdf-embedded-script	PDF decompressed stream script payload at offset 0xC7AA	442837 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 shell/COM execution token(s).
`icc_00_off0000278e.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x278E	3144 bytes
`font_00_sfnt_off00007f2e.bin` `20b497bbb02022321e85b7b6ae56380eaaee841788bc62884891229c14b5804a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F2E	5884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.