Malicious PDF — malware analysis report

Static analysis result for SHA-256 9afce8950c1237db…

MALICIOUS

PDF

1.85 MB Created: 2013-11-11 17:06:16 -08:00 Authoring application: Microsoft® Word 2013
MD5: 77316f3100df88c7bec5fb5b928d6d90 SHA-1: 8089c258b57f01a62a21141477a49dc4f29ac5b0 SHA-256: 9afce8950c1237db7f6830909a9907538350eef2af9d95e441825745ab35a820
406 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains a critical PDF_LAUNCH heuristic firing indicating a launch action targeting cmd.exe with specific parameters, exploiting CVE-2010-1240. Additionally, a PDF_LAUNCH_PLUS_DROPPER_JS heuristic indicates the use of JavaScript to export data objects, combined with an embedded file that masquerades as a PDF but is detected as a Windows executable. This suggests the document is designed to drop and execute a malicious payload. The ClamAV detection of 'Pdf.Dropper.Agent-7286040-0' further supports this. The embedded JavaScript likely facilitates the execution of the dropped payload.

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Dropper.Agent-7286040-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7286040-0
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
    • http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
    • http://blogs.technet.com/b/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx
    • http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx
    • http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
    • http://technet.microsoft.com/en-us/library/cc700805.aspx
    • http://aka.ms/emet41ps
    • http://support.microsoft.com/kb/2790907
    • http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx
    • http://blogs.technet.com/b/configmgrteam/
    • http://go.microsoft.com/fwlink/?LinkID=213962

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
pdf
56ee927628ee49a07a26e8a30030a625b4fb2583858dc8f39e78935c9c8f81d8		 pdf-embedded-file PDF EmbeddedFile object 3363 at offset 0x1CD36B 73802 bytes
javascript_obj3364_000.js
135d8ff085921b81e04dc360543078fa4091eb102c6c0edfa69b9c2e8675d290		 pdf-javascript-stream PDF /JS object 3364 at offset 0x1D7F92 49 bytes
stream_001_off00000b65.bin
8b83b145a47c9dc723f2534e86f340472b5ec10cc832ed5ce36d9220ab35563e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB65 1313352 bytes
stream_003_off00004894.bin
f2ebbf48d4a4a8e4ae610dac00d41eea1a58e86613f7b66171910ea38cc97977		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4894 792000 bytes
stream_015_off00017bb1.bin
b6d48727f67b455f73050e04faec37de033d53c2bf110612b54f42d1beb049bb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17BB1 1482624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.