MALICIOUS
312
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Command and Scripting Interpreter: Visual Basic
T1105 Ingress Tool Transfer
The PDF contains a launch action that executes cmd.exe, which in turn is used to drop and execute a Visual Basic script. This script is designed to download and execute a second-stage payload, indicating a downloader or dropper functionality. The specific Visual Basic script functionality is inferred from the CVE_2010_1240_LAUNCH_VBS_DROPPER heuristic.
Machine Learning
- Nyx PDF Classifier malicious score 0.9062
Heuristics 7
-
Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPERPDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADERDecoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://www.iec.ch
- https://www.verisign.com/repository/CPS��
- https://www.verisign.com
- https://www.verisign.com/repository/verisignlogo.gif0��
- https://www.verisign.com/CPS0b
- http://www.microsoft.com/truetype/0
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off0001322b.bine6da427fc465d6fd576a2a5bc29535aad1d5ea56bc6c81e24ed089c069d05680 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1322B | 43820 bytes |
embedded_pdf_script_000fa2ad.bin62d1ac922131582617d60ea819704a7201930ed3497e91e172b62e6c6e358600 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0xFA2AD | 1173688 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
icc_00_off000126d5.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x126D5 | 3144 bytes |
font_00_sfnt_off00001a3a.bin27052c4c23e906e9cb4177eaf0c07ac21183eb3580fc7c4dd1d284eaeae7471e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A3A | 60516 bytes |
font_02_sfnt_off000d1e59.bindcdb8b372fcbffd9f36137e1bc307aa4dec89013125ddc40530ac6ca465c4fbd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD1E59 | 33424 bytes |
font_03_sfnt_off000d7383.bin5af7b576aa1cea70f70fa4078091e742df22b307e686ec28185f949541d5321f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD7383 | 31944 bytes |
font_04_sfnt_off000dc36a.bin545ae39cd02903d04f33b1519e873820a00b0060aba0c7a628165a04f20438ef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDC36A | 17240 bytes |
font_05_sfnt_off000dedda.bindb441e6b210d20fab5e85cf5a223e86ab3ce2196b81dc55fde6a8082cca2022a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDEDDA | 11240 bytes |
font_06_sfnt_off000e0487.bin209ca9b8f1093a22cf2e8a1b8ab3baa0d408ad2f5a32b170ebc9de9240c765dc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE0487 | 28316 bytes |
font_07_sfnt_off000e395e.bina6c883754816b294ed2dc7c23cc1f3523f8307b212f706dcb0e39cce9f1ba920 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE395E | 35848 bytes |
font_08_sfnt_off000e858c.binb296505e8f42d214aec3953c9a851528d0cacef6ab32e89b2fb5af09585aa3ab |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE858C | 25152 bytes |
font_09_sfnt_off000eb048.bin72d224e94adb5c05d29e8f044a6f61f350e4e602f7a0d2977d838328f3d9cc56 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB048 | 11728 bytes |
font_10_sfnt_off000ed043.bin5c6cfa22a399fa5b18ab4d3e9ea9df2b4180ea82e1c11e14b80895553e33a95f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED043 | 26200 bytes |
font_11_sfnt_off000efe97.bin97e82ce8ed3bf3d80ab49f148f8d28fb85417b5e024356a3a8e8a1fb1b5c95c2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEFE97 | 20508 bytes |
font_12_sfnt_off000f1b8b.binf29729aca5b8eabc5be78fc73af51a76621c62a0caa2c919ab5722538075d8d6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF1B8B | 20132 bytes |
font_13_sfnt_off000f4a15.bind71745676943fbee4034a3ae2622b1565bf35052b79160e5a3150ffcae04bf3e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4A15 | 14832 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.