MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The PDF file contains a critical PDF_LAUNCH_COMMAND heuristic firing indicating the use of cmd.exe with parameters that suggest an attempt to execute a downloaded payload. The CVE_2010_1240 technique is explicitly matched, confirming the exploit of a launch action for command execution. The embedded JavaScript and embedded file artifacts further support the likelihood of a multi-stage attack. The primary IOC is the command-line execution string.
Heuristics 8
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\numero_45.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/xap/1.0/rights/
- http://ns.adobe.com/exif/1.0/aux/
- http://ns.adobe.com/camera-raw-settings/1.0/
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0335_000.js8f54b34962052c78f96fd1141c5546f201c9d46a428df8adc1a711b6f93354b5 |
pdf-javascript-stream | PDF /JS object 335 at offset 0x1FA213 | 58 bytes |
stream_042_off000e2055.bin5d3af394ee71a249c9ae4f2f85402546f13120fcdc5dee3bbe29aca175e993ef |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE2055 | 1064 bytes |
icc_00_off00016465.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x16465 | 3144 bytes |
font_01_cff_off001c6a9c.binfd5b15c6b8ddd267216d82206f8feee32c13cef87ac1cefe11d9ae579e18e3ac |
pdf-font-stream | PDF embedded font (cff) at offset 0x1C6A9C | 2165 bytes |
font_02_cff_off001c7790.binbca1da0e00bd3ca3ad49a5de640c6e1c19cbe811ecedb31372d9ea481025ae02 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1C7790 | 3528 bytes |
font_03_cff_off001c82f0.bin79a6319f10dc4cc540869ee88eaee2a54b760c23f1a7ba37e20f0dd95e99c4ff |
pdf-font-stream | PDF embedded font (cff) at offset 0x1C82F0 | 6088 bytes |
font_04_cff_off001ce227.bin16c64b2e4f26da35221f549818c8f83ac33300814e520e13a2d14e8856438b14 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1CE227 | 12180 bytes |
font_05_cff_off001d708a.binacf3a89ecc2f3f62a808ad144a8f5dbee2de356e179234fa6e6f1062be15caef |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D708A | 9529 bytes |
font_06_cff_off001d8b87.bin2279305d62343c3075f99287d43cb0cc6ed8a78f80ece1138b36b9bce6fab45f |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D8B87 | 2090 bytes |
font_07_cff_off001d9ad5.bin94e90cbc18b8f2e83986a633d37c8b579aa5981d7540ff81a9f1d79b36cefba3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D9AD5 | 3126 bytes |
font_08_cff_off001da7d0.bin3d1a264a24827a3c7f1abf25680d36e4d41845443923179f358a8e6a25ad28c3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DA7D0 | 7426 bytes |
font_09_cff_off001dc46e.binbb7ba3557a0b681bfae46692573039e5cfc52512c02f4dcad9983e4dc8dcd890 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DC46E | 8453 bytes |
font_10_cff_off001de56a.bind3589ab33769daaa9181db7bad32736f23272c9b7881b110a39908a0359e96a4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DE56A | 2066 bytes |
font_11_cff_off001df086.bin112e4a8decd4a56fe7de4916fe8a839a44d4cb3366bd24e155a02812015226ec |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DF086 | 290 bytes |
font_12_cff_off001df20e.binc37529e68560dadd8c9614d9b2844cf47142a798d41e6b165bb6a5197f44b7b1 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DF20E | 6308 bytes |
font_13_cff_off001e0a13.bin3e2cde7ba83c61ff0055a8a0e05b62fcd72c31c32c8118a78464c1779f31e7af |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E0A13 | 2649 bytes |
font_14_cff_off001e2143.bin2dc6bf52b7bcab041694f321394a76cf8664069c8c1ee5fdf703dca56fa73c1b |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E2143 | 8935 bytes |
font_15_cff_off001e3a18.bin4a24b37400b63779f9ebc087aa4ed9f8ee49afb04b0a3a171aabec839a6a3ff3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E3A18 | 661 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.