Malicious PDF — malware analysis report

Static analysis result for SHA-256 59fd6b8298a7b7d1…

MALICIOUS

PDF

537.0 KB Created: 2007-08-06 19:56:16 -07:00
MD5: 30df85ee77c5a979c971b8a27daa394e SHA-1: a37daec219fee64f9ed364521dc80ee2864cf86a SHA-256: 59fd6b8298a7b7d1bb751c0b4f45846f32172b83e289801ad635f43a2e6fd104
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains a critical PDF_LAUNCH heuristic firing, indicating a launch action targeting cmd.exe. This action is designed to execute a command that writes a VBScript to disk and then likely proceeds to execute it. The embedded script payload and the visible LOLBin command execution instruction further support this. The primary IOC is the command line used to initiate the script execution, and a suspicious URL was also found embedded within the document.

Heuristics 7

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo on error resume next>c:/m2.vbs && echo Set S = CreateObject("Wscript.Shell"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vasiliy050.0fees.net/home/index.php
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://schemas.microsoft.com/cdo/configuration/sendusing
    • http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
    • http://schemas.microsoft.com/cdo/configuration/sendusername
    • http://schemas.microsoft.com/cdo/configuration/sendpassword
    • http://schemas.microsoft.com/cdo/configuration/smtpserver
    • http://schemas.microsoft.com/cdo/configuration/smtpserverport

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00085861.bin
ba65a77a36cffe9d37f11277cbbe9b66ca2373bfe20b3cf7d5c72075379c0ee3		 pdf-embedded-script PDF decompressed stream script payload at offset 0x85861 549822 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.