Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8c68aa9e18f8d90…

MALICIOUS

PDF

679.7 KB Created: 2009-11-23 14:56:36 +01:00 Authoring application: Adobe InDesign CS3 (5.0.4) (via Adobe PDF Library 8.0)
MD5: 1909b9c44af55889e21fd714f0711485 SHA-1: a477eea05ef96b0091cfbe262f71b40f12077772 SHA-256: b8c68aa9e18f8d90bbc99d0894792861bfae19c7d2ebc97f293783a68c7ef6a5
364 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

This PDF file utilizes embedded JavaScript to execute a launch action targeting cmd.exe. The command line includes instructions to change directories and potentially execute a file named 'swu.pdf' from the Desktop. This indicates the PDF is designed to act as a dropper, downloading and executing a secondary payload. The embedded executable payload and ClamAV detections further confirm its malicious nature.

Heuristics 10

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\swu.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/aux/
    • http://ns.adobe.com/camera-raw-settings/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0062_000.js
dbdedcc603fa160eff0694c9308595dfec5d1cde6ac35fcaf9a85a2df546e5d1		 pdf-javascript-stream PDF /JS object 62 at offset 0xA9851 52 bytes
stream_023_off000454f7.bin
35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x454F7 557168 bytes
stream_024_off000a4b63.bin
be1c4cbf3acb8f62f35969460b8b14c30aeef413edef0381d69b795c3621b667		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4B63 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
font_00_cff_off0001507b.bin
e5d4fb7375f15cc4fc53cbb369d6ba501c303fa1d59ae1274630bba6cad89c57		 pdf-font-stream PDF embedded font (cff) at offset 0x1507B 4629 bytes
font_01_cff_off00015fb5.bin
bb92cede0f8fbc56f9499c054f3f6e4eaef9523b8baeac90b1df30e69a764dbb		 pdf-font-stream PDF embedded font (cff) at offset 0x15FB5 1454 bytes
font_02_cff_off00016513.bin
c06ca3269f87151c034987c542f0c91c71006b88a6df0c6d29b8be29d99302e1		 pdf-font-stream PDF embedded font (cff) at offset 0x16513 4941 bytes
font_03_cff_off0001751b.bin
fd7adfe91927a730a452ce587d6cb53def796f493061154c14f793b5e80fdc96		 pdf-font-stream PDF embedded font (cff) at offset 0x1751B 5567 bytes
font_04_cff_off0002857d.bin
71ffec79965f2ada5533c6e2eecd483308f11346a4718619d31ea96590c99a1e		 pdf-font-stream PDF embedded font (cff) at offset 0x2857D 328 bytes
font_05_cff_off0003f56a.bin
2d8e3486809f5338225dacbd3e8ccbad2aae90e4d1c6f7239b2f7de49add101f		 pdf-font-stream PDF embedded font (cff) at offset 0x3F56A 1801 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.