Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6c2fe149bf81785…

MALICIOUS

PDF

4.02 MB Created: 2009-07-10 10:38:59 Authoring application: FreePDF XP 3.20 - http://shbox.de (via AFPL Ghostscript 8.54)
MD5: eb80432c024fe7d13e47c85671b55ffe SHA-1: 2dd6979e3c137197c2346fe7ae81f0ffccf72318 SHA-256: a6c2fe149bf817851da5d29765ebfb3805a43b7f4ee230c5b3e234e84ac9ac3b
456 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that triggers a launch action, exploiting CVE-2010-1240 to execute cmd.exe. This command is used to launch an embedded Windows executable disguised as 'mallorca.pdf'. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded executable is likely a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C (if exist "%HOMEPATH%\\My Documents\\mallorca.pdf" (cd "%HOMEPATH%\\My Documents"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shbox.de

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
mallorca.pdf
22b1b6e48982446a3f9150e0d6c6e64899b5829b00ec17679c8cadabb3a5e09f		 pdf-embedded-file PDF EmbeddedFile object 37 at offset 0x7C9C 4194304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
javascript_obj0038_000.js
9cf32400e5e2a501593d2a02cd5ca2b87ba99bbbdef763f91cdaefeaa011b0f7		 pdf-javascript-stream PDF /JS object 38 at offset 0x403EF0 57 bytes
font_00_cff_off00002d62.bin
a6127ed37281307a629350d568ee36b065deccdb00bb2f0ad808dfab0a69f8e6		 pdf-font-stream PDF embedded font (cff) at offset 0x2D62 3387 bytes
font_01_cff_off000039c3.bin
26243245b932d372774a80473cadd215a4f059f03780dc4247a2457250a3462c		 pdf-font-stream PDF embedded font (cff) at offset 0x39C3 1523 bytes
font_02_cff_off000041de.bin
2d3ab187791cc8fc58564627c62ca4e0edfa4831651f891d9472dea5ce8fdbc2		 pdf-font-stream PDF embedded font (cff) at offset 0x41DE 5457 bytes
font_03_cff_off0000549e.bin
4c705b09605d83aa3f18cf2422d7a542ec9ef41b19b385b92b40789f1d163f6e		 pdf-font-stream PDF embedded font (cff) at offset 0x549E 1049 bytes
font_04_sfnt_off00005990.bin
112e3c515ebd8a841a5e020de3975f04e4146b443df45a761017ddfffeaa99a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5990 5656 bytes
font_05_cff_off000065b1.bin
9c8a34a2757770ad5f28ac764342c12835afa13f0c08ad97029cffcd2162920a		 pdf-font-stream PDF embedded font (cff) at offset 0x65B1 4874 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.