Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9a7f4f00d77b88a…

MALICIOUS

PDF

226.1 KB Created: 2014-03-14 13:13:58 +00:00 Authoring application: Microsoft® Excel® 2010
MD5: 437a37127182054c3a0a80a4ac2d8ed0 SHA-1: 83dbde7c23221811624944eac2e532dce76a5606 SHA-256: a9a7f4f00d77b88a10e0ce6edaee474956a8ab2da1e8e92b946e3f9207b2b56c
364 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1566.002 Phishing: Spearphishing Attachment

This PDF file contains embedded JavaScript and a PE payload, indicating malicious intent. The critical PDF_LAUNCH and PDF_LAUNCH_COMMAND heuristics confirm that the file attempts to execute cmd.exe with specific parameters, which in turn is designed to run the embedded executable payload. This chain of execution is characteristic of a dropper or initial access mechanism.

Heuristics 9

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Salaries.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0338_000.js
a3448aafca766f05c4dd662a455724999aea0445a6a537ea0db05cd4d5b5c233		 pdf-javascript-stream PDF /JS object 338 at offset 0x382E1 57 bytes
stream_006_off0002dfbc.bin
8490446b23becbb4a450aab4fe3f708c8a8b8981e5887c2875fef25536c51b2d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DFBC 88064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.