Malicious PDF — malware analysis report

Static analysis result for SHA-256 625eb929843c3452…

MALICIOUS

PDF

674.8 KB Created: 1999-12-26 15:37:45 Authoring application: TeX (via Aladdin Ghostscript 5.50)
MD5: 9ed59219bb0bbd5ed47988c44b6f5776 SHA-1: ad3af461c7398c9674a8c755507a3c44d8a07296 SHA-256: 625eb929843c3452ca01588ea2478e735cfdc3eaf4f3bcacc8e0d81162e135ec
602 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that triggers a launch action, executing cmd.exe. This command then attempts to run a Windows executable payload that is disguised as a PDF file named 'R-intro.pdf'. The embedded executable was detected by ClamAV as Win.Trojan.Swrort-5710536-0, and the PDF itself was flagged as Pdf.Tool.Agent-1388586.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9880

Heuristics 17

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\R-intro.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ggobi.org/
    • http://www.ggobi.org/rggobi
    • http://www.zeustech.net/
    • http://]hostname[:port]/path
    • http://CRAN.R-project.org
    • http://CRAN.R-project.org/
    • http://www.bioconductor.org/
    • http://ESS.R-project.org
    • http://www.apache.org/

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
R-intro.pdf
43d3d0891e76b7d25875aa7cc2a31909411c1bd136fffcc3166cddd152504999		 pdf-embedded-file PDF EmbeddedFile object 1654 at offset 0x9D9C4 73802 bytes
Detection
ClamAV: Win.Trojan.Swrort-5710536-0
Obfuscation or payload: unlikely
javascript_obj1655_000.js
aef14e1c21edcd39aea69f8da83405fbfbfd80ce36fe093614a24ea77d00f215		 pdf-javascript-stream PDF /JS object 1655 at offset 0xA86DF 56 bytes
stream_114_off0006cb63.bin
7e10555220c4ae44ee25adee594f24d484ec36b6b2350925b7c2c6c46b5e41bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6CB63 11342 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
stream_117_off00070c20.bin
4b4852b147e285f80c5200a3bdeca9f1a3b32cd00b78a0d4fe338383ac05dc47		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70C20 2861 bytes
stream_122_off0007ad8c.bin
49ca8c086f008e85f50e2e51c9b55a8c2fe8c2026ac60bcf6a4acd3f7eb7ac31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7AD8C 9733 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
stream_124_off0007daf4.bin
2113bd6219ad3befb7a1c5dae703905d672d59dc521c4b7b0b1fb555263d1bf3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7DAF4 8772 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_00_type1_off000675b0.bin
3094825b5ce890f712e15e00639dcaaf89332e918ec2c752958143c70d2b9fe6		 pdf-font-stream PDF embedded font (type1) at offset 0x675B0 14517 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_01_type1_off0006ad62.bin
c09210d295e4d4d9dbb74b093e020f865083332b7bb7338196f1ae5171bef3d4		 pdf-font-stream PDF embedded font (type1) at offset 0x6AD62 1931 bytes
font_02_type1_off0006b56d.bin
f1588eabbd670e98523666c1c3c04b712c1b3697d47a5408739062620b33659c		 pdf-font-stream PDF embedded font (type1) at offset 0x6B56D 3310 bytes
font_03_type1_off0006c2a7.bin
d5404eb74f2fe6b252ee95d36c847601169ade156df241fb1686b184793a1839		 pdf-font-stream PDF embedded font (type1) at offset 0x6C2A7 2095 bytes
font_05_type1_off0006f751.bin
7fa1975cfb5e221517c20cc8bc89f772ad59ad1fca5dc1ea37307406733dc851		 pdf-font-stream PDF embedded font (type1) at offset 0x6F751 1734 bytes
font_06_type1_off0006fe93.bin
fffc7ab8e0f0b59baa3cd48815c1c2a80d395dcb7a8d93956fd32b984aee31f2		 pdf-font-stream PDF embedded font (type1) at offset 0x6FE93 3376 bytes
font_08_type1_off000717bb.bin
7977613468e73be9e77eadb5274aae8acf86e86a96bc30f3273f9f6ce1fa86f1		 pdf-font-stream PDF embedded font (type1) at offset 0x717BB 18521 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_09_type1_off00075ede.bin
569e3874942341e79b54a7e474d51613fa4326e4add76424de02a044bf6cacb0		 pdf-font-stream PDF embedded font (type1) at offset 0x75EDE 2834 bytes
font_10_type1_off00076a5f.bin
6b2c9c9662d638cdb4048836bf9410dff4586924e8b7a9cd8eb108304bc0665f		 pdf-font-stream PDF embedded font (type1) at offset 0x76A5F 2422 bytes
font_11_type1_off00077445.bin
9a5e2064f194560c4c269c9f6dae2d324c3782846c6996f7d4698cec6ee9ede8		 pdf-font-stream PDF embedded font (type1) at offset 0x77445 14936 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_13_type1_off0007d324.bin
602421b087b572a35685d8095011114746a50db26496bda74ac882a4352e2291		 pdf-font-stream PDF embedded font (type1) at offset 0x7D324 1870 bytes
font_15_type1_off0007fcd1.bin
3eaf0a1541e53aa5c72e7729e97c4ea043a8a73637a71bf26258920531129d32		 pdf-font-stream PDF embedded font (type1) at offset 0x7FCD1 2888 bytes
font_16_type1_off00080894.bin
d38696a0c92f5b1912369ebdf18bbc57461ca270be511ab5ecdd70955506e665		 pdf-font-stream PDF embedded font (type1) at offset 0x80894 1436 bytes
font_17_type1_off00080ea5.bin
72f9ff2c72f16f3bf48d4016a4532a5602bbb802237a5900bd736de7cdf31b69		 pdf-font-stream PDF embedded font (type1) at offset 0x80EA5 12940 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_18_type1_off00084096.bin
0313912b21cab1b37ba37b64fcdfad1b66e0e6dd1fe54e69acd2b5b7bd57234a		 pdf-font-stream PDF embedded font (type1) at offset 0x84096 4650 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.77, consistent with packed or encrypted content.
font_19_type1_off000852ec.bin
a64e5393bcc817dc708d2b5578eb03334a55afc91a1d9eec90e02622b4356ee8		 pdf-font-stream PDF embedded font (type1) at offset 0x852EC 17425 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
font_20_type1_off000895d8.bin
e989a770203bd1bf3cac6acc62989a688c50f6ce1cc068cc6a50c3289ebc6a36		 pdf-font-stream PDF embedded font (type1) at offset 0x895D8 6182 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
font_21_type1_off0008adf3.bin
23b64e9facef1af0e00bded7422448d105af2b6909a3407f5428ad711e076e45		 pdf-font-stream PDF embedded font (type1) at offset 0x8ADF3 11016 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_22_type1_off0008d86b.bin
fad4e5fb60378fe8e8592ab9e4033f5d44c062aa2dbbd1047c568389f5fed1c6		 pdf-font-stream PDF embedded font (type1) at offset 0x8D86B 2037 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.