Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3cd0bc16fedc7bc…

MALICIOUS

PDF

267.2 KB Created: 2008-05-20 14:23:38 -05:00 Authoring application: Adobe Illustrator CS2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: 1bd036a473e001277fab8fbefb1e9344 SHA-1: a146c8a08a691baf462cb9c6de0c43c7b5c085ac SHA-256: b3cd0bc16fedc7bc07c87c6700407107ba502721c624d5544851112e74dd6e08
384 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that targets cmd.exe, indicating an attempt to execute arbitrary commands. The critical heuristic PDF_EMBEDDED_PE_PAYLOAD confirms the presence of an embedded executable payload. ClamAV detections on both the PDF and the extracted artifact (Win.Trojan.Rozena-131) further solidify its malicious nature. The exploit chain matches CVE-2010-1240, a known vulnerability for command execution via PDF launch actions.

Heuristics 10

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Stark_Best_Places_To_Work.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Exploit.Agent-24003 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-24003
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0097_000.js
66a0bfb0b3ea208aeaf26f2702857309a0c332cc892612de554a79500f70414b		 pdf-javascript-stream PDF /JS object 97 at offset 0x4283B 74 bytes
stream_010_off0000a1a2.bin
c5109fa42fc78d5e31e4a0453c0d05d15e75b5e2a430dd5a7f479eb9f5841c8f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA1A2 7203 bytes
stream_040_off0003db0c.bin
1f5cfbe0db0be5bba8d7b7e75a1cd1653a3f4210c5f4b4d910d8fe8a8faa418e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3DB0C 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
icc_00_off00002dde.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2DDE 3144 bytes
font_00_cff_off0000c30c.bin
e001c3a5610fb8e12ea5149bcac0e336c48587e1b5cf5fb2e142db15610d126f		 pdf-font-stream PDF embedded font (cff) at offset 0xC30C 1244 bytes
font_01_cff_off0000c8d2.bin
e9b4709e37cf14aeb2ff6188bafece6fbd3e72e55dee0d553e945a6b04ca7900		 pdf-font-stream PDF embedded font (cff) at offset 0xC8D2 1368 bytes
font_02_cff_off0000cf28.bin
89e16564daaedf0991a52efed6b5879e99163e0ad570995d7c0db08957d7733c		 pdf-font-stream PDF embedded font (cff) at offset 0xCF28 4215 bytes
font_03_cff_off0000e051.bin
4c337e4adda220e023988528928365bf487cc0bf33901acf01ccf308c2231677		 pdf-font-stream PDF embedded font (cff) at offset 0xE051 1805 bytes
font_04_cff_off00017bbe.bin
28b45428a06976f39e0e01fa772cc47f208e7febdc70e4a5aa7fc2d4d35f925f		 pdf-font-stream PDF embedded font (cff) at offset 0x17BBE 5216 bytes
font_05_cff_off000190dc.bin
416fcaf40b6a6e51d8f353c33a65112a9a54ece2bf7a2440473fd9fa96305ea3		 pdf-font-stream PDF embedded font (cff) at offset 0x190DC 1452 bytes
font_06_cff_off00019904.bin
590b55e5af76fd6756930c327e07db01c1f49bc09a576de58add2ab9ec1132e1		 pdf-font-stream PDF embedded font (cff) at offset 0x19904 1760 bytes
font_07_cff_off0001a270.bin
2bf8ef01d0b281c815efbb8416fdd80236bfba2a678c18c187b72c4ddd7b84e8		 pdf-font-stream PDF embedded font (cff) at offset 0x1A270 1778 bytes
font_08_cff_off0001aba9.bin
a6bcdc545a8a954993e3cb69649d2ee8504fa495eb8ca97ee715c95518f816cf		 pdf-font-stream PDF embedded font (cff) at offset 0x1ABA9 1773 bytes
font_09_cff_off00032bf2.bin
43fe417eaa497a139b5a35f0c9cb8824d9f72ede377b2fd822fbbaad1c66d663		 pdf-font-stream PDF embedded font (cff) at offset 0x32BF2 1906 bytes
font_10_cff_off00033319.bin
37b9f7328b97b4ea6002a8c78d9a63cf953a61caadb9aeb8a37de74e3cb82601		 pdf-font-stream PDF embedded font (cff) at offset 0x33319 1778 bytes
font_11_cff_off000339b4.bin
31d3a6affc0537fb8912a02fa9188a2eb14b2bc18d6d4cf92e2a31606ba3c2bf		 pdf-font-stream PDF embedded font (cff) at offset 0x339B4 2096 bytes
font_12_cff_off000341b1.bin
e0b7f8e50b3f469fea6b070c417dea92f8a6ee2679af2bb30e653128947a8983		 pdf-font-stream PDF embedded font (cff) at offset 0x341B1 4381 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.