MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
This PDF file contains a critical PDF_LAUNCH heuristic indicating an attempt to execute a command. The specific command identified is 'cmd.exe /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\����\ADMPlugin.apl" (cd/D "%USERPROFILE%\����"', which leverages CVE-2010-1240 to execute arbitrary commands. This suggests the document is designed to download and execute a secondary payload, likely stored as an embedded file.
Heuristics 7
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\\����\\ADMPlugin.apl" (cd/D "%USERPROFILE%\\����"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0110_000.js0fedc506516bc0750b9540d66ff6d1bbd092eaaa9476e8e79aeda20b80c4f9aa |
pdf-javascript-stream | PDF /JS object 110 at offset 0x35DEF | 58 bytes |
font_00_sfnt_off00018873.binf027842567b04c926ad746e8dfdc4f8cdd2e3c7e0220264a22bb516569de8c36 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18873 | 39760 bytes |
font_01_sfnt_off0001e18a.binda753cc0b5163c9b6666572dbeb35b7b5caf4a56d9c22c99c36835925c000a71 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1E18A | 33672 bytes |
font_02_sfnt_off00023149.bin23ac8feb518c8c727acc6a954bb623e333337c9458521aed483fcc8d89f418c1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x23149 | 12752 bytes |
font_03_sfnt_off0002558e.binc8fd7189737c38a43b9ba034337799f502028b5db5a6037bd1df4c486f3233e0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2558E | 13136 bytes |
font_04_sfnt_off00027bf4.bincf699c117fd0bb7368c625645b874f03c477a382b67075e98dd54d87de53958b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27BF4 | 27096 bytes |
font_05_sfnt_off0002ca67.bin34829650519fe758a893e02057f5c7c1070378add027225386180ba60993be24 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2CA67 | 13700 bytes |
font_06_sfnt_off0002f2cf.binbf36ecd37d117b665b1c68abb1c41fbb1a9d46c2c583bdb8512681835e553b91 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2F2CF | 14892 bytes |
font_07_sfnt_off00031db2.bin37478039963094b7b89fb24df19adb1f5ee171f766ade680ac5516bb23ede59f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x31DB2 | 13576 bytes |
font_08_sfnt_off00033c21.bindf903f2017d43426972294ce96b065da76255f4a0de84e466c7a4dd6181632c2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x33C21 | 1780 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.