Malicious PDF — malware analysis report

Static analysis result for SHA-256 d67c0c26c2f41e82…

MALICIOUS

PDF

45.2 KB Authoring application: cairo 1.8.0 (http://cairographics.org
MD5: 0315ee700cfee85a833b84c7ab4c0d1a SHA-1: 390abff582df6d8a87081938a1e1e28ba42d45c1 SHA-256: d67c0c26c2f41e829b3381efa0757a2f0f442891f4015c0c3812b2e28f1ed8d5
324 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a PE payload, and critical heuristics indicate a PDF launch action targeting cmd.exe. This chain of events suggests the PDF is designed to exploit CVE-2010-1240 to execute a dropped payload, likely a trojan dropper as indicated by ClamAV. The embedded file name 'Canada_Post_Notice_441.pdf' is likely a lure.

Heuristics 9

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Canada_Post_Notice_441.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Win.Trojan.Dropper-131 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dropper-131
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cairographics.org

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js
fbe6a2f480df05b9c1cdb3c7e497ab2a00d88055a8cee17585b299bf90105823		 pdf-javascript-stream PDF /JS object 19 at offset 0xB083 71 bytes
stream_003_off00002083.bin
e94a9d59fc07c9817d51c927316a2286cb928e65873c5332be4f1b2ff2f218a9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2083 56832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.