Malicious PDF — malware analysis report

Static analysis result for SHA-256 89f0fdc8aaf5c92b…

MALICIOUS

PDF

574.9 KB Created: 2015-03-10 08:17:01 -04:00 Authoring application: Adobe InDesign CS6 (Macintosh) (via Adobe PDF Library 10.0.1)
MD5: b8b8d7287db2f0efe5fb6e28786c7e00 SHA-1: cce43581a842e0ddb9dde714b419ae1535bc3e29 SHA-256: 89f0fdc8aaf5c92b1b64c0301006f28376dacb2470ebbf3a14e8a4c9e1416077
334 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The PDF contains JavaScript that triggers a launch action, exploiting CVE-2010-1240 to execute cmd.exe. This command is designed to launch an embedded file named 'DatasetREADME.pdf'. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary attack vector appears to be leveraging a known Adobe Reader vulnerability to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 9

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\DatasetREADME.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
DatasetREADME.pdf
c7d73a8fa2a38d9dca024d41116290d10ad6866578795ea4b78846869944ffaa		 pdf-embedded-file PDF EmbeddedFile object 138 at offset 0x1573A 1492972 bytes
javascript_obj0139_000.js
ba1286dbc4766d36ecc9a31fa8e1ef87f021f463bd388d4775d207840219571c		 pdf-javascript-stream PDF /JS object 139 at offset 0x8F4DB 62 bytes
font_00_cff_off00003429.bin
bbe9fe48e1f5a1e74d89c8f71a8f7b7b4aed41f004f506ba00cf53796c5dd263		 pdf-font-stream PDF embedded font (cff) at offset 0x3429 7305 bytes
font_01_cff_off00005125.bin
8c3d549e70d15fd5d103c1ff6b0d0465488bacf3cc81491a25c2d13462e60bb1		 pdf-font-stream PDF embedded font (cff) at offset 0x5125 365 bytes
font_02_cff_off0000562c.bin
139d3e2a70e70fc865cb2af7a860c64176c0053682acb98ae03f710f33a24393		 pdf-font-stream PDF embedded font (cff) at offset 0x562C 5012 bytes
font_03_cff_off00006e1a.bin
74212f63659a2138fa8f5c95dd84ac1806103e2c8e41099546b9b12888b66235		 pdf-font-stream PDF embedded font (cff) at offset 0x6E1A 1113 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.