Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e83420329299227…

MALICIOUS

PDF

193.2 KB Created: 2008-01-27 21:22:13 -08:00 Authoring application: LaTeX with hyperref package (via pdfeTeX-1.21a)
MD5: 02cc316d6ec925e49f90d5185ab5b2fd SHA-1: a2f494c8abde140dd8e61521ee9e799dfaa2b74e SHA-256: 8e834203292992277c1307bc26ea745cb53fc8b99c213e1de4621a4da707fc75
468 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1105 Ingress Tool Transfer T1566.002 Phishing: Spearphishing Attachment

This PDF document exploits CVE-2010-1240 via a launch action to execute cmd.exe. The command attempts to change directory and then likely proceeds to launch an embedded PE payload, detected as Win.Trojan.Rozena-131 by ClamAV. The PDF itself is detected as Pdf.Exploit.Agent-22118. The document body discusses ActiveX controls, suggesting a lure related to software functionality or exploitation.

Heuristics 14

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\ActiveX_active_expl.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Exploit.Agent-22118 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22118
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nologin.org
    • http://www.milw0rm.com/exploits/4420
    • http://www.milw0rm.com/exploits/4720
    • http://www.milw0rm.com/exploits/4825
    • http://taossa.com
    • http://labs.idefense.com/software/fuzzing.php#more_comraider
    • http://en.wikipedia.org/wiki/ActiveX_control
    • http://msdn2.microsoft.com/en-us/library/aa751968.aspx
    • http://www.metasploit.com/users/hdm/tools/axman/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0221_000.js
e5da64b53966878f4560a559ef01fe3451d574f095a10b50b9c54d1ac6f30462		 pdf-javascript-stream PDF /JS object 221 at offset 0x30060 68 bytes
stream_023_off000246b1.bin
bf114597a620b3948e9b768d50f35907c33143632b7af679b32f3fb3c986f360		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x246B1 4657 bytes
stream_025_off0002b35a.bin
fb1a9fe4a163ab1ea11a3db3cbae54c38a9ac8846572435dc5b2c46887bac68b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B35A 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
font_00_type1_off00017874.bin
0028664400f5755b41b28091e0ae85cb7a6622f39234ffe01d60bda79833c742		 pdf-font-stream PDF embedded font (type1) at offset 0x17874 7568 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
font_01_type1_off00019633.bin
2cc8fe11bdd3cb791030d6356cb0cad82d8e1107187568e6a4bc69cdf2ef95bb		 pdf-font-stream PDF embedded font (type1) at offset 0x19633 17326 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_02_type1_off0001da9d.bin
ff6aa1fb1a43d830a31d4d1654b502a9112295572db0afaa85f733be60e25cbb		 pdf-font-stream PDF embedded font (type1) at offset 0x1DA9D 8038 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.66, consistent with packed or encrypted content.
font_03_type1_off0001fa8b.bin
e2d57d48cfa5172193cfbbc869adf4e7f1cfcb7c867d5e4a75d976f4f2d39b28		 pdf-font-stream PDF embedded font (type1) at offset 0x1FA8B 11006 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.
font_04_type1_off00022608.bin
85fc13af728ef001646358bb0039840928d8c734203777246258b87b93d8c5d5		 pdf-font-stream PDF embedded font (type1) at offset 0x22608 5249 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_05_type1_off00023b5d.bin
86b5030002c840fbbdb8b0db06f90dafa297bd53154509fbc033e1b70d00ce5c		 pdf-font-stream PDF embedded font (type1) at offset 0x23B5D 2992 bytes
font_07_type1_off00025995.bin
fe05b48f9bf68761027703dde521ec1757bf695ab369bd1f023d8677855caf19		 pdf-font-stream PDF embedded font (type1) at offset 0x25995 14896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.