Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac3f47da3c2024ab…

MALICIOUS

PDF

221.5 KB Created: 2009-12-02 08:12:33 -08:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 8.1.0 (Windows))
MD5: 21b22f84d984be3be79d38e5f069d9f3 SHA-1: edb2be077f3848f800c6ab6e19d58ad2db6d666a SHA-256: ac3f47da3c2024aba1125daaaa491518ffc15bf1d4d382b36895534216d472ff
384 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file contains embedded JavaScript and a PE payload, indicating malicious intent. The critical heuristics indicate a launch action targeting cmd.exe, exploiting CVE-2010-1240 to execute an embedded executable. The embedded executable was detected by ClamAV as Win.Trojan.Rozena-131, and the PDF itself was flagged as Pdf.Tool.Agent-1388586.

Heuristics 10

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\pdf.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0163_000.js
43c541c654fef21cf523c77fa0bd58c79db84e77b5febae0582d6bdff7dc683a		 pdf-javascript-stream PDF /JS object 163 at offset 0x371E4 52 bytes
stream_014_off0000d689.bin
dca245cedcf22d5b26267e22d36eac9268cec5a9e9f27c8236eec5123a66a74f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD689 4666 bytes
stream_053_off000324ff.bin
50200cb2f83c339abd27fd81d7115503af735982b4060286124c8473cdc2d00c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x324FF 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
font_00_cff_off00000d3a.bin
b0c5c9e3163b7417b7ede0d8237d4fb0e25a00c9404f12156bea3c9f20d22c78		 pdf-font-stream PDF embedded font (cff) at offset 0xD3A 6111 bytes
font_01_cff_off00002c8a.bin
f4eeda6e5d2cb9bbcf05b224c5d7fae5cfdae199c52f025323300cbebe7f7a8b		 pdf-font-stream PDF embedded font (cff) at offset 0x2C8A 5384 bytes
font_02_sfnt_off00004394.bin
1d323dae2cd4830cc9befa2da6f0bda00ed884a90bb0e84badc369384ce1198e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4394 9080 bytes
font_03_sfnt_off00021519.bin
190305fcc6034e92e35594b4a7d887b23148a835a99328630372f1cfcf4fe41b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21519 23776 bytes
font_04_cff_off00023df9.bin
73f557a71b8ecfed208c3d13f501aa1c9568932c4a091b68351e88294f42051f		 pdf-font-stream PDF embedded font (cff) at offset 0x23DF9 12355 bytes
font_05_sfnt_off00026bfb.bin
67468f5cf48b0e46d6d125ca4955e7655cef9ec7d4c43f4fb86bff5c71daae6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26BFB 5884 bytes
font_06_cff_off0002827d.bin
0c6896733810b9242586ca373541c3ebdde6e5a91b53b588f7e687690fa1f0d2		 pdf-font-stream PDF embedded font (cff) at offset 0x2827D 5526 bytes
font_07_sfnt_off0002984b.bin
8e7b88b0245cd71bc38839e5fba3f7917a9a4065fb031442f6ee84a73775e8b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2984B 21736 bytes
font_08_sfnt_off0002b8fa.bin
4c487e09361a14da36cfae1dc1a85eb0ef677e44026c076ec3bc08b79beb7afb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B8FA 23480 bytes
font_09_cff_off0002da9b.bin
852f9f7434f94b437d2db4145a4c638f64baad01373c6ddef2ecae7dbd0dd920		 pdf-font-stream PDF embedded font (cff) at offset 0x2DA9B 6968 bytes
font_10_cff_off0002f86b.bin
8b5e0d718003c46a9c478822a887647f1e47ff4f5259855735ac812464d310d0		 pdf-font-stream PDF embedded font (cff) at offset 0x2F86B 3898 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.