MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
T1059.003 Windows Command Shell
The PDF file contains a critical PDF_LAUNCH heuristic firing indicating a launch action. This action targets cmd.exe, which is then used to create and execute a VBScript payload. The script itself is embedded within the PDF and is likely responsible for downloading and executing a second-stage payload from the external URI http://www.foo.be/. The PDF also exhibits parser evasion techniques.
Heuristics 9
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Win.Trojan.Dropper-134 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Dropper-134
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASIONPDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.foo.be/
- http://www.gitorious.org/~adulau
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000ddf7.binf7da54c1c4956dd6529949e1bac1dcb9cfa4c01672bc6a3b6dd50b7ba46cd9bd |
pdf-embedded-script | PDF decompressed stream script payload at offset 0xDDF7 | 113213 bytes |
|
Detection
ClamAV:
Win.Trojan.Dropper-134
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
font_00_cff_off00003d8a.bin09e18e495b68106a55aace3f441183e73b28de0f6fbcb0af0b76d08e38de00da |
pdf-font-stream | PDF embedded font (cff) at offset 0x3D8A | 15636 bytes |
font_01_sfnt_off00007386.bin1bbf8d898c7de34b2ed1bfb68d2725a06e3c5e09957aee601794b4fe88adb9f4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7386 | 13054 bytes |
font_02_cff_off00009b0d.bin81cd2ec160f0dbbfecf3a7282aa50fb69c8be6a3e42aa5a6d27c573cc7517a2e |
pdf-font-stream | PDF embedded font (cff) at offset 0x9B0D | 7529 bytes |
font_03_cff_off0000b8d9.bin19f70b70255abac1a93513d95c8ae661c9f9d2f99400a22c24727869e919e5ad |
pdf-font-stream | PDF embedded font (cff) at offset 0xB8D9 | 7369 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.