MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The PDF file contains embedded JavaScript that triggers a launch action. This action executes 'cmd.exe' with parameters designed to download and run a secondary payload, exploiting CVE-2010-1240. The presence of 'this.exportDataObject(' further indicates a dropper functionality. ClamAV also identified the file as Pdf.Tool.Agent-1388586.
Heuristics 8
-
Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\test.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JSPDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0112_000.jsb1a09f919e0f5d1c1d284849c9af93bae6fd1411634dfdc491e126f9cd327f3f |
pdf-javascript-stream | PDF /JS object 112 at offset 0x1C413 | 53 bytes |
stream_020_off0001652f.bin936857c1398ac2ca63cae21006674501866e32eae51f703bab13e1c340b386e2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1652F | 19092 bytes |
icc_00_off00000dd6.icc2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63 |
pdf-icc-profile | PDF ICC profile at offset 0xDD6 | 1456 bytes |
font_00_sfnt_off0000aa11.bin73d3bc1b738561cbbad03e316827355903aca94c1a8726ccfa91212161db4773 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAA11 | 11356 bytes |
font_01_sfnt_off0000c988.binb7a567f6aeb6d2b9006b2bb498e3589e769d8f5dc4d1dc106803e9a8e8324e8c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC988 | 6440 bytes |
font_02_sfnt_off0000dcb1.bin936cf23cba84f9ea4331ddf27798c01a6ea07cd58fb933f033a1a0fb07eccfb1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDCB1 | 7032 bytes |
font_03_sfnt_off0000f175.binc9e366533c05cec873367ee1907992cf58d94e610020d92a3e6913f003bb493f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF175 | 22944 bytes |
font_04_sfnt_off00012e0e.bin6fccfda4f6b7df518eca9c9c2dd8d1d43a765a1800266ce9bc506f30e6ab69b4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E0E | 23108 bytes |
font_06_sfnt_off00018f8c.bin5abc68159b051bda37ceeefa625ce3eba12d0a6a49d9ff1e7b2fbad48944799a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18F8C | 10932 bytes |
font_07_sfnt_off0001aeda.bin55322c2ea0ef15039fda832dd3b70dfff66090d629b2dd6920926a6d6b0a4799 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1AEDA | 3308 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.