Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c9e2d9387e2fa06…

MALICIOUS

PDF

284.9 KB Created: 2010-02-07 22:10:13 +01:00 Authoring application: LaTeX with hyperref package (via xdvipdfmx (0.6))
MD5: b57de8962b68f556402d8d33d275174f SHA-1: 78edc29cf4fb8e50ff108fc39371f47abcaf056a SHA-256: 6c9e2d9387e2fa06277fdf1edd8201380ffcd3cf5fa50e6285fab0e12411991f
354 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF contains a launch action that executes cmd.exe, which is then used to download and execute a VBScript payload. This payload likely establishes a connection to a remote server for further instructions or payload delivery. The presence of a PDF launch action targeting cmd.exe and the embedded script strongly indicate exploitation for client execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 9

  • Adobe Reader Launch action VBS dropper command chain critical CVE likely CVE_2010_1240_LAUNCH_VBS_DROPPER
    PDF uses a CVE-2010-1240-style Launch action: cmd.exe is invoked from /Launch and builds a VBS stage that uses ADODB.Stream, MSXML2.XMLHTTP, or FileSystemObject to write or execute a payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.foo.be/
    • http://www.gitorious.org/~adulau

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000e209.bin
93946b35d219f4087b95c5110cd15eec7aa740c2f765f2749f522d9f2656211c		 pdf-embedded-script PDF decompressed stream script payload at offset 0xE209 291748 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.