Malicious PDF — malware analysis report

Static analysis result for SHA-256 705cbd00e1258a51…

MALICIOUS

PDF

607.6 KB Authoring application: LaTeX with hyperref package (via dvips + ESP Ghostscript 7.07)
MD5: e8899f7c5d43c8934644e51820d23d1d SHA-1: 566413bd86e68e94258f9c1c0e423a9669942f09 SHA-256: 705cbd00e1258a51c6fba3e89d1818160403c5b4a2cf527c67a037174940af89
578 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript that triggers a launch action for cmd.exe, which in turn attempts to execute an embedded Windows executable disguised as a PDF file named 'Paradis-rdebuts_fr.pdf'. This chain of actions, combined with the ML classifier and ClamAV detections, strongly indicates a malicious intent to deliver a second-stage payload. The presence of external URLs suggests potential C2 communication or further payload download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 15

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Paradis-rdebuts_fr.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.insightful.com/products/splus/default.asp
    • http://www.omegahat.org/R/
    • http://www.zeustech.net/
    • http://]hostname[:port]/path
    • http://cran.r-project.org/doc/FAQ/R-FAQ.html
    • http://www.gnu.org/
    • http://cran.r-project.org/
    • http://stat.cmu.edu/S/
    • http://cm.bell-labs.com/cm/ms/departments/sia/project/trellis/index.html
    • http://cran.r-project.org/src/contrib/PACKAGES.html
    • http://www.bioconductor.org/
    • http://www.R-project.org/mail.html
    • http://www.R-project.org/doc/bib/R-publications.html
    • http://cran.r-project.org/other-docs.html
    • http://cran.r-project.org/search.html
    • http://www.r-project.org/posting-guide.html
    • http://cran.r-project.org/doc/Rnews/
    • http://www.R-project.org
    • http://www.apache.org/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Paradis-rdebuts_fr.pdf
3ff520369bee0e04292c23990e8773bdaf736422a165d7402e7c25f981d56c6e		 pdf-embedded-file PDF EmbeddedFile object 648 at offset 0x8CD86 73802 bytes
Detection
ClamAV: Win.Trojan.Swrort-5710536-0
Obfuscation or payload: unlikely
javascript_obj0649_000.js
70dbef402a62490d161e7d2520b0862ad62ca8070979f9630f8ff6de7a0be72d		 pdf-javascript-stream PDF /JS object 649 at offset 0x979BE 67 bytes
stream_102_off00079bd5.bin
59a79d8ecbaa7b6df09fd7644008bc03c4a57b217f8f2be1ab7a471fb4da5640		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x79BD5 3543 bytes
font_00_cff_off000684b8.bin
77dcc86e19a03c0770bcf606006e84dd98eb408007bcb740a7f1ecab052d773a		 pdf-font-stream PDF embedded font (cff) at offset 0x684B8 11234 bytes
font_01_cff_off0006a7ea.bin
9097374e92c18b0075dc4ab723ad25fe96f676be3f663a591f2c599b4bdcd242		 pdf-font-stream PDF embedded font (cff) at offset 0x6A7EA 9237 bytes
font_02_cff_off0006c43e.bin
14f669e825b0c127ad12991502932a3289e34917c6c9333d7c4dc10da4118590		 pdf-font-stream PDF embedded font (cff) at offset 0x6C43E 1082 bytes
font_03_cff_off0006c99f.bin
5362077861b0bc48d3a059e853bf8dfdc19502559382ddb5688e4269a8cc8d17		 pdf-font-stream PDF embedded font (cff) at offset 0x6C99F 1712 bytes
font_04_cff_off0006d121.bin
62173f0c2b89eb7146fc2b8887f31697b1dd2c8eff7cb9b74e4c5d2c24db7558		 pdf-font-stream PDF embedded font (cff) at offset 0x6D121 3980 bytes
font_05_cff_off0006df1f.bin
86fee9ecfd483bee3fbefc81bf12e6fdb765c6064decfd2b5184c2c162b0888f		 pdf-font-stream PDF embedded font (cff) at offset 0x6DF1F 1098 bytes
font_06_cff_off0006e468.bin
75684a082f956cdc13b9ec35520e5d04cff4c9a5feb99e89b39664bc82628749		 pdf-font-stream PDF embedded font (cff) at offset 0x6E468 542 bytes
font_07_cff_off0006e81a.bin
667602cc075b50b80f2577f57d6bae7f28c426c4e28599e2cbd5ca44e4186af9		 pdf-font-stream PDF embedded font (cff) at offset 0x6E81A 2992 bytes
font_08_cff_off0006f3c8.bin
2969167eb8e6218d2578cd71561ebb696b3bc287deefec05c09061adf9618cbd		 pdf-font-stream PDF embedded font (cff) at offset 0x6F3C8 2379 bytes
font_09_cff_off0006fe34.bin
5b1389cde6f977ee73432be4a08ffad7953aede5f20f090cc7f794dde9343db7		 pdf-font-stream PDF embedded font (cff) at offset 0x6FE34 7312 bytes
font_10_cff_off000716db.bin
8779170d0099a2d42a201f0351619e39a801b50247331fac1dd3791e25ca5bdc		 pdf-font-stream PDF embedded font (cff) at offset 0x716DB 3259 bytes
font_11_cff_off0007230d.bin
d4e7bc5fea14d44c71bf27a37603e4f4b169dcef14991e5e3f5415e9c0a2815b		 pdf-font-stream PDF embedded font (cff) at offset 0x7230D 10019 bytes
font_12_cff_off00074204.bin
8da1f98b33929c082ce8b4ad02700f6eb0b1c37460e569aa3650e82ff7161c96		 pdf-font-stream PDF embedded font (cff) at offset 0x74204 1941 bytes
font_13_cff_off00074aa7.bin
22ee4447e259c5848ac3fbe9039ef4fd584ffa4d9d99d0fe74e5b2973c2af41a		 pdf-font-stream PDF embedded font (cff) at offset 0x74AA7 5364 bytes
font_14_cff_off00075d63.bin
f5295ee84f9bd00905355f8504ac2e84b0541a0cd523fe18ade0ae20fe2c5d1d		 pdf-font-stream PDF embedded font (cff) at offset 0x75D63 10442 bytes
font_15_cff_off00077cf2.bin
5703012d5b5399642855018ac9f711a54a507a71ebea7c49202ff147eef1236b		 pdf-font-stream PDF embedded font (cff) at offset 0x77CF2 1880 bytes
font_16_cff_off00078472.bin
c113bedbdaca25285f79fe92a3613f35ebbd2a11515b3e04abde1eb94a4a2e31		 pdf-font-stream PDF embedded font (cff) at offset 0x78472 545 bytes
font_17_cff_off000787e5.bin
784e8f38845971078672f78db20c5a9e7c297bf2d39d801483feb326eb98c67c		 pdf-font-stream PDF embedded font (cff) at offset 0x787E5 584 bytes
font_18_cff_off00078b75.bin
e4b33230565a2d9bb2c544649400b5fee288dab255869acffe5229938b5bdf29		 pdf-font-stream PDF embedded font (cff) at offset 0x78B75 2279 bytes
font_19_cff_off00079483.bin
040bc2349e169d2074150d7b779cb77bf43bb0eea5e0e2bcbed152120eb5c970		 pdf-font-stream PDF embedded font (cff) at offset 0x79483 602 bytes
font_20_cff_off00079847.bin
b2ddd03544d23515f12c939a0b52dd9c4b2d402ef1b740b6e35a98bc4ca594b8		 pdf-font-stream PDF embedded font (cff) at offset 0x79847 545 bytes
font_22_cff_off0007a8de.bin
2280681346bd02fd60edd9d18543ef1996ae2a95a03054efd5ec653dc3bce6a6		 pdf-font-stream PDF embedded font (cff) at offset 0x7A8DE 937 bytes
font_23_cff_off0007adc2.bin
dec6f4ecd5facc5b5b6b5a554fb00c3e210404b01ea69288e573902ad80ee0ce		 pdf-font-stream PDF embedded font (cff) at offset 0x7ADC2 2163 bytes
font_24_cff_off0007b5f7.bin
4fb5278d534ffd0b5d60e7d54ad0a427a0115a9261f74f71df33f7f194dd58b1		 pdf-font-stream PDF embedded font (cff) at offset 0x7B5F7 6282 bytes
font_25_cff_off0007c9f3.bin
3ad2014b35e004b5d4780d349f20af9a7a4e1657cc85cffd3bbf9f1138819ac9		 pdf-font-stream PDF embedded font (cff) at offset 0x7C9F3 348 bytes
font_26_cff_off0007cd8b.bin
d779a1e03d9099894fa4587e73728086643c0f0e3e7e31f315610fc73c24869e		 pdf-font-stream PDF embedded font (cff) at offset 0x7CD8B 7072 bytes
font_27_cff_off0007e346.bin
b974cb96cbb82f5e0fef04f4a76245e631bab6149c6d5902f663d7302fbc9977		 pdf-font-stream PDF embedded font (cff) at offset 0x7E346 230 bytes
font_28_cff_off0007e589.bin
0995bc07ae7147ca50411092897b33c6b9f992cca72343863d163c13803a9c2b		 pdf-font-stream PDF embedded font (cff) at offset 0x7E589 758 bytes
font_29_cff_off0007e9d5.bin
b1ab391659cc8941be02c7ad8ed6fd707f88f87b787baa4a467d65125c8723d2		 pdf-font-stream PDF embedded font (cff) at offset 0x7E9D5 1224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.