Malicious PDF — malware analysis report

Static analysis result for SHA-256 a03faa7ba319d5f4…

MALICIOUS

PDF

456.4 KB Created: 2007-04-19 01:13:58 UTC Authoring application: FrameMaker 7.2 (via Acrobat Distiller 7.0 (Windows))
MD5: 0faab0e2fd93eb2a7d72317604cd0dfe SHA-1: 62a7a90a0018b2c16c204c5fa37b3fa257ccb670 SHA-256: a03faa7ba319d5f462034ecc504b49feca85ee6232d7a72ed789782f39cc40ba
326 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file contains embedded JavaScript and an embedded executable payload, indicating a malicious intent. The critical heuristic firings confirm the exploitation of CVE-2010-1240 via a launch action targeting cmd.exe, which is designed to execute commands. This strongly suggests the document is a dropper that attempts to download and execute a second-stage payload from the embedded executable or via further commands. The embedded file 'embedded_file_obj0019.bin' and the JavaScript stream are key components of this attack chain.

Heuristics 10

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\msexchng.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0019.bin
92c1099a336b70e5880354bb469740551af654515aa5d5c09de8ad1b8f33cf14		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x290CC 15773 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 long base64-like blob(s).
javascript_obj0233_000.js
2a3d5036c1de94357ab6f932ff6d7cb2e3ef331b75111f1164c65b6d50f764e6		 pdf-javascript-stream PDF /JS object 233 at offset 0x4FE41 57 bytes
stream_025_off0002e630.bin
fcd06aa466ea22088f908ea42d2b17c88097139f7366b46ad198543b17eb842e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E630 193536 bytes
stream_026_off00050431.bin
c1d5344bdcc6704ff580cb83700d4f45c006c6ea6b200b238b45e26ab5035bdb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x50431 193536 bytes
font_00_cff_off0000318d.bin
7193c32364a81bf7ddf2cef34b284488e6e35c813b49e565fcfd3f8170d96b0f		 pdf-font-stream PDF embedded font (cff) at offset 0x318D 338 bytes
font_01_cff_off00003319.bin
77dc3d77a509c7b019b2241c74470cd4d972a70ca2fcc386d7004ae5d032f5a5		 pdf-font-stream PDF embedded font (cff) at offset 0x3319 1223 bytes
font_02_cff_off000037dc.bin
db89ac3a1e10ee22212b88bc0c15092da75b9062868b7eda6407b7d871c17e4f		 pdf-font-stream PDF embedded font (cff) at offset 0x37DC 3927 bytes
font_03_cff_off00004514.bin
2fdaebfa5e4095201467a640291ec7fd1079f406a4ddcb550159406247bb60d5		 pdf-font-stream PDF embedded font (cff) at offset 0x4514 6624 bytes
font_04_cff_off00005c9a.bin
5fe4e8e4f20e0b10c3c528666dfd9a79cbcddbd9e0ffb8a6ad1c49a0c22f5464		 pdf-font-stream PDF embedded font (cff) at offset 0x5C9A 4844 bytes
font_05_cff_off00024c6e.bin
2b96e83bbb44d36713691a43220681312d8a5dcb56a4fb98f5da716c0ffcf696		 pdf-font-stream PDF embedded font (cff) at offset 0x24C6E 1588 bytes
font_06_cff_off00027e8a.bin
d7838a1a5d6ee07385236cc74221185a7e0ca2d234722066d75a113c87f859e6		 pdf-font-stream PDF embedded font (cff) at offset 0x27E8A 303 bytes
font_07_cff_off0002855b.bin
7fa35482b04df578625e0d0811077c608f3239a5254fb169418f6f5148b6e1e6		 pdf-font-stream PDF embedded font (cff) at offset 0x2855B 3024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.