PDF malware analysis — malicious · 911c515fb62d3c71

MALICIOUS

PDF

58.4 KB Created: 2010-05-18 06:04:38 +02:00 Authoring application: Writer (via OpenOffice.org 3.2)

MD5: 2839c540ea0ff3be905c17d49a4e263b SHA-1: ba7e92e66d8f70d302578f3b81db4b4d35b5d1e6 SHA-256: 911c515fb62d3c7178022b43cd89a06cb7d96e2e0fce5d42b6dbdcbdccd949f7

404 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file contains embedded JavaScript and a PE payload, triggering critical heuristics for PDF launch actions and embedded executable payloads. The CVE_2010_1240 heuristic indicates a known vulnerability is being exploited to launch cmd.exe. The embedded artifact was detected as Win.Trojan.Rozena-131 by ClamAV, suggesting it is a secondary payload. The PDF's structure and heuristics strongly indicate a malicious intent to exploit the reader and download further malware.

Heuristics 10

Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240

PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\se-in.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 58 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0024_000.js` `bb728463b0d35dabcca9bcc71d5f786a6b9a2021cc2d5e00263b223cb25b9b55`	pdf-javascript-stream	PDF /JS object 24 at offset 0xE60F	54 bytes
`stream_005_off00009943.bin` `9bfb6a3922d4fbac29b6adfd02baa8c4b2ca4a0a674aa36831fd3e254cf731f1`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9943	37888 bytes
Detection ClamAV: Win.Trojan.Rozena-131 Obfuscation or payload: unlikely
`font_00_sfnt_off00004f2d.bin` `54f6a50d18ba607328a558702befc3092942ebe2485c96226a1b26b0bbc80320`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F2D	29760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.