Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab2e6b3766ec958f…

MALICIOUS

PDF

9.1 KB Created: 2013-06-03 21:55:26 -02:00 Authoring application: htmldoc 1.8.23 Copyright 1997-2002 Easy Software Products, All Rights Reserved.
MD5: 310d9ab635abf5840ffece9a0b686d60 SHA-1: 2d28032a997cf85fe791bc5466a6b4df62a759d3 SHA-256: ab2e6b3766ec958f9ffc1dff85e2465cc227cfa292299e3e6acf9e82c8875181
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1059 Command and Scripting Interpreter T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF file contains a dangerous URI that references a command interpreter path, specifically 'mailto:test%../../../../windows/system32/calc.exe".cmd'. This indicates an attempt to execute arbitrary commands on the victim's system. The heuristic 'SE_LOLBIN_RUN_COMMAND' further supports this by detecting visible command execution instructions within the document. The ClamAV detection confirms the malicious nature of the file. The primary intent appears to be the execution of a command-line utility, likely to download and run a second-stage payload.

Heuristics 5

  • ClamAV: Pdf.Malware.Agent-9982938-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-9982938-0
  • PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND
    PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-10/msg00093.html
    • http://secdev.zoller.lu
    • http://lists.grok.org.uk/full-disclosure-charter.html
    • http://www.derkeiler.com/Mailing−Lists/Full−Disclosure/2007−10/msg00093.html
    • http://secunia.com/

Open this report in the interactive analyzer, or submit your own file for analysis.