Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb7ef207d427b53a…

MALICIOUS

PDF

312.1 KB Created: 2010-02-10 15:34:59 +01:00 Authoring application: Writer (via OpenOffice.org 3.1)
MD5: 86da53fafd3002e5a6a97c4f9ac3c97f SHA-1: 15d57db013908b43ca07f7efc28211150047b8d1 SHA-256: cb7ef207d427b53a17e115059b3e7e328a55cc6454408ff87cbf787c35b5fcdc
526 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1566.002 Spearphishing Attachment

The PDF file contains a JavaScript action that triggers a launch command, exploiting CVE-2010-1240 to execute cmd.exe. This command is designed to download and run an embedded Windows executable payload, which was detected by ClamAV as Win.Trojan.Rozena-131. The embedded payload is disguised as a PDF file named 'fireforce_en_manual.pdf' but is identified as a Windows executable.

Heuristics 14

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\fireforce_en_manual.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.scrt.ch/pages/fireforce/fireforce.xpi
    • https://addons.mozilla.org/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
fireforce_en_manual.pdf
3cf6d534466336da83be736420cce72213578ab668280aff919c977167b05a7f		 pdf-embedded-file PDF EmbeddedFile object 117 at offset 0x48EF8 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-131
Obfuscation or payload: unlikely
javascript_obj0118_000.js
b3ab59ef0991703642c254951e7abe08e89d16ec0cabbcd0e5e15fcb035348da		 pdf-javascript-stream PDF /JS object 118 at offset 0x4DC89 68 bytes
stream_015_off00021f16.bin
ff027821eb6007ec65a781497bd42ff1224c6e86627a835a21918243177fa016		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21F16 141456 bytes
font_00_sfnt_off00039ab2.bin
f9a91f613dbb4d56f9ed40f918f570a675d183aaca071d9f4ec8be374dd410e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39AB2 23660 bytes
font_01_sfnt_off0003d8a0.bin
91f45c017129d958d1920306f07fa9749d3785d1d4ed389596a3aaf1b2a86cab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D8A0 1752 bytes
font_02_sfnt_off0003dec0.bin
70d40c52e0c77968d814d172f3a7e706a3494fc9453731f532a5a2480b2f19d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DEC0 25728 bytes
font_03_sfnt_off0004228f.bin
8928f8132c0d25b8b12de8688704e4e0a2b2493dbf4979b8e35a8310410430b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4228F 25360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.