MALICIOUS
454
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
This PDF document contains embedded JavaScript that leverages the PDF's launch action to execute PowerShell. The PowerShell command is designed to download and execute a second-stage payload, as indicated by the critical PDF_LAUNCH_COMMAND and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics. The embedded artifact 'template.pdf' is likely the second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 11
-
Adobe Reader Launch/export embedded executable chain critical CVE likely CVE_2010_1240_EMBEDDED_PE_EXPORTPDF combines a /Launch action with an embedded-file name tree, exportDataObject JavaScript, and embedded executable bytes. This matches the CVE-2010-1240 Launch-file abuse chain even when the Launch dictionary does not expose the stricter cmd.exe /Win shape.
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: powershell.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\template.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JSPDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0009_000.jsbc1d5cdfa608238e3cd965aa51949d02f8ab713463ea0beb61ec928b121788d1 |
pdf-javascript-stream | PDF /JS object 9 at offset 0xB043 | 57 bytes |
embedded_pdf_script_0000b0d3.bin50f2823bd8be90ebf1995aa20f0ffe62ac389ead5f81f22f09595b995130685a |
pdf-embedded-script | PDF decompressed stream script payload at offset 0xB0D3 | 46125 bytes |
|
Detection
ClamAV:
Pdf.Tool.Agent-1388586
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.