Malicious PDF — malware analysis report

Static analysis result for SHA-256 60baa17696af7a2f…

MALICIOUS

PDF

283.9 KB Created: 2010-02-07 22:10:13 +01:00 Authoring application: LaTeX with hyperref package (via xdvipdfmx (0.6))
MD5: e9007e1fb266e3953fba79b03ea6c84a SHA-1: 130d9f6dd98aa53e27992f0ba85c27f6686326c0 SHA-256: 60baa17696af7a2f925d4f107b8f9d93c5b270c4e007f02062fcf6adf1b70f58
474 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute an external program. This is further supported by a PDF_LAUNCH_COMMAND heuristic indicating the execution of 'cmd.exe' with parameters designed to create and run a VBScript dropper. The embedded script evidence and the CVE-2010_1240_LAUNCH_VBS_DROPPER heuristic confirm that the sample is designed to download and execute a second-stage payload, likely from the 'http://www.foo.be/' URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 11

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Win.Trojan.Dropper-134 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dropper-134
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.foo.be/
    • http://www.gitorious.org/~adulau

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000ddf7.bin
cee2c8b51bdba523ee045405b034678e300462aaf5d40e8dc50fbf79b707f5e7		 pdf-embedded-script PDF decompressed stream script payload at offset 0xDDF7 290705 bytes
Detection
ClamAV: Win.Trojan.Dropper-134
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).
font_00_cff_off00003d8a.bin
09e18e495b68106a55aace3f441183e73b28de0f6fbcb0af0b76d08e38de00da		 pdf-font-stream PDF embedded font (cff) at offset 0x3D8A 15636 bytes
font_01_sfnt_off00007386.bin
1bbf8d898c7de34b2ed1bfb68d2725a06e3c5e09957aee601794b4fe88adb9f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7386 13054 bytes
font_02_cff_off00009b0d.bin
81cd2ec160f0dbbfecf3a7282aa50fb69c8be6a3e42aa5a6d27c573cc7517a2e		 pdf-font-stream PDF embedded font (cff) at offset 0x9B0D 7529 bytes
font_03_cff_off0000b8d9.bin
19f70b70255abac1a93513d95c8ae661c9f9d2f99400a22c24727869e919e5ad		 pdf-font-stream PDF embedded font (cff) at offset 0xB8D9 7369 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.