Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a2fee6f4825d342…

MALICIOUS

PDF

4.18 MB Created: 2009-09-02 14:40:30 -05:00 Authoring application: SPDF
MD5: 67bc698daaf269dcbca91648a4649715 SHA-1: 04c08e50cda25bb6e3c7b6dfa32bce085ed94c6e SHA-256: 6a2fee6f4825d342730cf0b3c15973c03b947e5db0bf6adbea2b87019834ef61
498 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF exploits CVE-2010-1240 by using a launch action to execute cmd.exe. The embedded JavaScript, `this.exportDataObject({ cName: "teste33", nLaunch: 0 });`, is used to drop and potentially launch an embedded executable disguised as 'teste33.pdf'. ClamAV detections and ML classifiers confirm the malicious nature of the file and its dropped artifact.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 13

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\teste33.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amplifier.ti.com)/S
    • http://dataconverter.ti.com)/S
    • http://www.dlp.com)/S
    • http://dsp.ti.com)/S
    • http://interface.ti.com)/S
    • http://logic.ti.com)/S
    • http://power.ti.com)/S
    • http://microcontroller.ti.com)/S
    • http://www.ti-rfid.com)/S
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.ti.com/audio)/S
    • http://www.ti.com/automotive)/S
    • http://www.ti.com/broadband)/S
    • http://www.ti.com/digitalcontrol)/S
    • http://www.ti.com/clocks)/S
    • http://www.ti.com/medical)/S
    • http://www.ti.com/military)/S
    • http://www.ti.com/opticalnetwork)/S
    • http://www.ti.com/security)/S
    • http://www.ti.com/telephony)/S
    • http://www.ti.com/video)/S
    • http://www.ti.com/lprf)/S
    • http://www.ti.com/wireless)/S
    • http://amplifier.ti.com

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
teste33.pdf
48b7f3c2e0e069cb78476fb3c726e2e2aeb648bc0fb1fbb6b8de25e120e8430c		 pdf-embedded-file PDF EmbeddedFile object 853 at offset 0x42A123 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
javascript_obj0854_000.js
fcf34504212b35b8e242acd1ea236f411be6278b4dd5c9d2984c45fadadfcf88		 pdf-javascript-stream PDF /JS object 854 at offset 0x42EDF2 56 bytes
stream_121_off0029155f.bin
e893e32fa5de4125f86c6eafdec4e6ac1a7a3939cfbbcd7c905638cf5c7e33b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29155F 718768 bytes
stream_124_off0040d328.bin
f78298db7b066c7a1024d189b3ea0f661f2162cfc6e9abdba1807256b1be7534		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40D328 19613 bytes
font_00_cff_off00003423.bin
c84f7cdb1e1d20b1e6f75e79ff3ec14381c65d3f31f7294de3994bf90000e632		 pdf-font-stream PDF embedded font (cff) at offset 0x3423 5419 bytes
font_01_cff_off004043fe.bin
eb3c5c838b4a7359cfc29e4e6245bd256929afb5a227ced861ea18cee63eb1f3		 pdf-font-stream PDF embedded font (cff) at offset 0x4043FE 5066 bytes
font_03_cff_off00412559.bin
5978485639b24daba3f5344571cb6545dd5c83673ec706d8cebef87685311310		 pdf-font-stream PDF embedded font (cff) at offset 0x412559 5104 bytes
font_04_cff_off00413d6f.bin
69d566f67a084766e07c6d5f3d3cb871916c6a3695975645a94379b580fd0ea3		 pdf-font-stream PDF embedded font (cff) at offset 0x413D6F 362 bytes
font_05_cff_off0041495c.bin
77cb47a3fc0486d3781fc0ed809b581a25f9b358e79e9dba976f2e5e83ce5707		 pdf-font-stream PDF embedded font (cff) at offset 0x41495C 2079 bytes
font_06_cff_off00415a6c.bin
86a2e003c5e11e5e2a9d5eda8c0b7d040f417f63e2863ab5561ca83fab8417bf		 pdf-font-stream PDF embedded font (cff) at offset 0x415A6C 3497 bytes
font_07_cff_off004174c7.bin
de4c6a86ab173b5b4fa526c86fd481b5ee45be7eaa86f8c4610d1af9137885a8		 pdf-font-stream PDF embedded font (cff) at offset 0x4174C7 513 bytes
font_08_cff_off00417af2.bin
f43f33b71cca1c7559d9baf27ade002081bc9f141cb18159b459b93d0f433cd5		 pdf-font-stream PDF embedded font (cff) at offset 0x417AF2 4962 bytes
font_09_cff_off00418c8a.bin
a43a4f197eefdeaa9dcab8f79cb9cddca837af6028743551191bb7749d542e59		 pdf-font-stream PDF embedded font (cff) at offset 0x418C8A 3713 bytes
font_10_cff_off00419b6a.bin
5ddfaeeb3c5c7f417f9f06e33cc478afabf4c5936c2e36b0e0669c39863d8e1e		 pdf-font-stream PDF embedded font (cff) at offset 0x419B6A 3115 bytes
font_11_cff_off0041aab3.bin
25ef5c23eb7b2e922f8df5839fecfa15fadf55bcb6ee99c768db0cbb3c16693a		 pdf-font-stream PDF embedded font (cff) at offset 0x41AAB3 4741 bytes
font_12_cff_off0041bf52.bin
0a2cc6cdbb8b6a892c06915a2d0833b2f6b553ce4c63dad89e0237a5a559c508		 pdf-font-stream PDF embedded font (cff) at offset 0x41BF52 4960 bytes
font_13_cff_off0041d22c.bin
2ef7a3eb343f138e0a33161e6bc4bc528765344f409ca30cf1108685522eeb95		 pdf-font-stream PDF embedded font (cff) at offset 0x41D22C 3249 bytes
font_14_sfnt_off0041e278.bin
4f8e51fce2e91bbfb3d4db316e75ea96a03cdee62482deb9dd7884277e77d1fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41E278 4830 bytes
font_15_cff_off0041f2bb.bin
9984ac2d663ee71f5eb9f1d371244e8067eebb353de6c8505da228367df6f5f1		 pdf-font-stream PDF embedded font (cff) at offset 0x41F2BB 6033 bytes
font_16_cff_off00420dc6.bin
8ab3ad72b4bfa61997a1bff56efefa34a77f121f9cdb03c5482734f50a7558a4		 pdf-font-stream PDF embedded font (cff) at offset 0x420DC6 5441 bytes
font_17_cff_off0042253b.bin
3ce033da36ed8bc29b121c419aafccbfe88a886dfe1164afc6d200dc60238bc6		 pdf-font-stream PDF embedded font (cff) at offset 0x42253B 5920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.