Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e951b016fc5d448…

MALICIOUS

PDF

713.0 KB Created: 2007-06-06 13:36:05 -07:00 Authoring application: Word (via Mac OS X 10.4.9 Quartz PDFContext)
MD5: 30c7187f30e86477b81a04625d44e9fb SHA-1: b68cdc85d706456dd1d63655b17b2a9940ac4321 SHA-256: 7e951b016fc5d44886f5e7d4495484024d42225e6d2a85bb6f9eae3856b239dc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating a launch action targeting cmd.exe. This action is designed to execute a command that creates a VBScript file. The embedded script payload further suggests the file's malicious intent is to download and execute a second-stage payload. The reconstructed command line is: cmd.exe /c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream").

Heuristics 4

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_018_off00048169.bin
fd5abbbb5d50496c61017c0d9cbb45e8a2d8aa142f3aa01ac90ac3e6c8b38b64		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48169 17700 bytes
embedded_pdf_script_000571b6.bin
bcae4ad86763e30f202234ba573c5d9cc7166f217a2ed81cd2300f0d14d20272		 pdf-embedded-script PDF decompressed stream script payload at offset 0x571B6 730103 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).
icc_00_off00017475.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x17475 1320 bytes
font_00_sfnt_off00035ea2.bin
fa05348abe1b69309e66bfa9d7d684fcf6e4002142b8912ecab0a893ac66ddbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35EA2 12584 bytes
font_01_sfnt_off00038496.bin
46c5c9951e10a218fbf82ca783f72826936d4705f83a322e9b1de40a70267824		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38496 32212 bytes
font_02_sfnt_off0003e2de.bin
9569563ea4cb1c2a79d2d5f91820f8f6387b2640b2f80b89981b6fd4c97f65ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E2DE 21640 bytes
font_03_sfnt_off000424a0.bin
59671adef1cd66db353bf0660fe8e1312b73b9e0f97837bcaccfc8de682d5475		 pdf-font-stream PDF embedded font (sfnt) at offset 0x424A0 34624 bytes
font_05_sfnt_off0004b761.bin
0ed8f26c026337f4b6cad73bfaac0e0c01573dd9c5d2ebddd48d84a0418b4f0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B761 3308 bytes
font_06_sfnt_off0004c077.bin
74270d01c0d00b996f1ceff67fcdec0ba664e642c6757fbc8db188e34fac2061		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C077 51488 bytes
font_07_sfnt_off00055576.bin
af582a08ee629b51f1031330583e4f9985b0d4c9ad356c9a1b103fb54f103a5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55576 6440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.