Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a755f79bab20511…

MALICIOUS

PDF

285.0 KB Created: 2010-02-07 22:10:13 +01:00 Authoring application: LaTeX with hyperref package (via xdvipdfmx (0.6))
MD5: 84391c5c50147058f088c52c0436d546 SHA-1: 361ce0f4e9f13cf7a97820c75f91533c0d47c6f2 SHA-256: 9a755f79bab2051154b022dce302ecf7d2e93f83a14063982fac2b980fda1e39
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains a launch action that executes cmd.exe, which is likely intended to download and execute a second-stage payload. The embedded script marker and suspicious extracted artifact further indicate malicious intent. The URL http://www.foo.be/ is also present in the document.

Heuristics 7

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.foo.be/
    • http://www.gitorious.org/~adulau

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000e209.bin
561352c3e72a22f21d8c2222f9566f8bf3e88e998c67d789d5042d4cd051156c		 pdf-embedded-script PDF decompressed stream script payload at offset 0xE209 291792 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.