Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c6b7cd42044046e…

MALICIOUS

PDF

2.4 KB
MD5: e6b0c417cd9a47d685523ab6434707e4 SHA-1: c20a2a2e635942572ab9b8142f1dcaea90733810 SHA-256: 6c6b7cd42044046e9e4fc39cdff799dc721c9180307f1b2bdc285604acbc8052
292 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic T1071.001 Web Protocols

This PDF file contains an embedded script that leverages cmd.exe to download a VBScript payload from http://xblforums.com/fun/?m=1&e=YWRvYmVfcGFyYW1ldGVyc19nbG9iYWw= and save it as %TEMP%ssl.vbs. The script then proceeds to execute this downloaded payload, indicating a multi-stage attack designed to deliver further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters ' /c echo Set kkhvnhbuurvrdtbyqrjf = CreateObject\("MSXML2.ServerXMLHTTP"\' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xblforums.com/fun/?m=1&e=YWRvYmVfcGFyYW1ldGVyc19nbG9iYWw=

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000002d5.bin
34e93e74222c3ce6620d5f2260be1a6bee2cd090ba17e49d93a7d0dc73886636		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2D5 743 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.