Malicious PDF — malware analysis report

Static analysis result for SHA-256 c870ee43e442c33b…

MALICIOUS

PDF

1.07 MB Created: 2009-03-21 21:05:11 +05:30 Authoring application: Acrobat Distiller 7.0.5 for Macintosh
MD5: 2cc908aabc45e1f4ea269b52f8ce974b SHA-1: b3ab2eb86eaf9d440551cbbb1f36dbc3c6f4d889 SHA-256: c870ee43e442c33b96684135e60d7ea956be2da128c9d6b834d2b9154eaf9f90
286 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains embedded JavaScript and a launch action that executes cmd.exe. This indicates an attempt to exploit vulnerabilities within the PDF reader to run arbitrary commands. The command execution instruction suggests the malware is designed to download and execute a second-stage payload. While many URLs are benign, the presence of a launch action targeting cmd.exe is a critical indicator of malicious intent.

Heuristics 10

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\crime.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.netaddiction.com/faq.htm
    • http://www.honeynet.org/papers/bots/
    • http://.rstmonday.org/issues/issue10_9/abad/index.html
    • http://www.htcia.org/
    • http://www.issa.org/
    • http://www.infragard.net/
    • http://www.certmag.com/images/CM1206_salSurveyFig1.jpg
    • http://www.cybercrime.gov/cc.html
    • http://www.cybercrime.gov/ccmanual/index.html
    • http://www.cybercrime.gov/s&smanual2002.htm
    • https://www2.sansorg/reading_room/whitepapers/incident/627.php
    • http://68.156.151.124/index.html
    • http://macek.czechian.net/defining_cyberculture.htm
    • http://ojjdp.ncjrs.org/
    • http://www.bcybersafe.org/
    • http://www.ncmec.org/
    • http://www.internetretailer.com/internet/marketing-conference/29522-worldwide-internet-access-inches-up.html
    • http://www.4lawschool.com/property/virtual.shtml
    • http://www.centernetworks.com/myspace-hacked
    • http://www.votetrustusa.org/index.php?option=com_content&task=view&id=2554&Itemid=113
    • http://www.cpsr.org/issues/ethics/cei
    • http://www.pcretailmag.com/news/28704/Trojans-penetrate-online-gaming
    • http://www.igcouncil.org/index.php?option=com_content&task=view&id=186&Itemid=47
    • http://www.emuunlim.com/doteaters/play1sta1.htm
    • http://project.cyberpunk.ru/idb/hacker_ethics.html
    • http://www.cybercrime.gov/melissaSent.htm
    • http://www.markus-giesler.com/
    • http://www.nw3c.org/
    • http://www.mors.org/publications/phalanx/dec00/feature.htm
    • https://www.policyarchive.org/bitstream/handle/10207/3364/RS20557_20020603.pdf?sequence=3
    • http://www.antiphishing.org
    • http://apwg.org/reports/apwg_report_june_2007.pdf
    • http://www.antiphishing.org/word_phish.html
    • http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
    • http://onguardonline.gov/index.html
    • http://www.cisse.info/colloquia/cisse7/history.htm
    • http://www.cybercrime.gov/ag0216.htm
    • http://www.iacis.org/iis/2001_iis/TOC-IACIS-2001.htm
    • http://www.rrcsei.org/RIT%20Cyber%20Survey%20Final%20Report.pdfParker
    • http://ori.dhhs.gov/education/
    • http://ori.dhhs.gov/misconduct/cases/press_release_poehlman.shtml
    • http://www.securitiesfraudfyi.com/enron_fraud.html
    • http://www.securitiesfraudfyi.com/worldcom_fraud.html
    • http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
    • http://www.rrcsei.org/rrcseicontentresearch.pdf
    • http://www.itsecurity.com/features/real-cost-of-spam-121007/
    • http://www.aic.gov.au/publications/rpp/78/rpp78.pdf
    • http://www.cioinsight.com/c/a/Trends/Analysis-Data-Infrastruture/
    • http://itcinstitute.com/display.aspx?id=4202
    • http://www.electricnews.net/article/10038156.html
    +158 more URL(s)

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj1483_000.js
2b53dbf853889061e19a5562ac2f4859ac4ba8aef2e858e08b18bb70da7a2b71		 pdf-javascript-stream PDF /JS object 1483 at offset 0x1112F5 54 bytes
font_00_cff_off000906f6.bin
add3f74ff74abb3d28242c0dd4a7fec278b2d817794646b17af56393af5be6fe		 pdf-font-stream PDF embedded font (cff) at offset 0x906F6 416 bytes
font_01_cff_off00090aeb.bin
d1bdf2a4003727e0b3e8f7975b2215dd0be4f0b5d22400436dd534fc5335347f		 pdf-font-stream PDF embedded font (cff) at offset 0x90AEB 167 bytes
font_02_cff_off000ee46f.bin
ffe90f0c142534fc7179b26ad8199d210770e04865fcbc04e27368947378ccfe		 pdf-font-stream PDF embedded font (cff) at offset 0xEE46F 12266 bytes
font_03_cff_off000f13ff.bin
e14712ca386f4ffcfa43a712984437e5a2382c65b11280bcd74c6a0a138144e0		 pdf-font-stream PDF embedded font (cff) at offset 0xF13FF 1741 bytes
font_04_cff_off000f1e94.bin
cc0253b97f08f721a037fb92a13082408be8efc929415134bfdd62165272bfde		 pdf-font-stream PDF embedded font (cff) at offset 0xF1E94 550 bytes
font_05_cff_off000f2646.bin
745e6b17d3cbb77199950e461c4951b40c7eb15e844b434f3e9cfd62e0b5fb46		 pdf-font-stream PDF embedded font (cff) at offset 0xF2646 9978 bytes
font_06_cff_off000f505f.bin
f228a50a37af0f208d787974d286bee57da958a44e07b80d35a41e8061851906		 pdf-font-stream PDF embedded font (cff) at offset 0xF505F 1149 bytes
font_07_cff_off000f5b0c.bin
7f60c43bd9d82d626f725c3bf8707e35385c47be11f6d368ccfcfce308d14ef7		 pdf-font-stream PDF embedded font (cff) at offset 0xF5B0C 10795 bytes
font_08_cff_off000f8711.bin
47cb5926905171973a5bf02b0da07b15f62d8b77318b4168930aaf8c49bcd42e		 pdf-font-stream PDF embedded font (cff) at offset 0xF8711 4323 bytes
font_09_cff_off000f9a5d.bin
617d90ae3ed86f83c5563a5a8a0be512b1fad7b32dfaa13cb94a6eab00603d8a		 pdf-font-stream PDF embedded font (cff) at offset 0xF9A5D 3190 bytes
font_10_cff_off000fab05.bin
37011db834b02bb41c780d907c4088bf5cfff64eec0fbfc8ba621b67d8ee523d		 pdf-font-stream PDF embedded font (cff) at offset 0xFAB05 104 bytes
font_11_cff_off000fb09e.bin
d41b6f81e9b2c01bde07018b18f331d45548de59f4b7267e8028161df403e6c8		 pdf-font-stream PDF embedded font (cff) at offset 0xFB09E 1072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.