Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9fe34626ef8fc63…

MALICIOUS

PDF

156.3 KB Created: 6/17/2004 0:10:40 Authoring application: PScript5.dll Version 5.2 (via GNU Ghostscript 7.05)
MD5: 9d16801865b77097fa43b7fcfb5cb1c4 SHA-1: 595a031b679d3221e2eced29986944be623e888b SHA-256: d9fe34626ef8fc63a28bbe366aec81625a81444b0fe9763244b2ebf42a701fc3
484 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that targets cmd.exe, indicating an attempt to execute arbitrary commands. Critical heuristics confirm the presence of an embedded PE payload and a launch action designed to exploit CVE-2010-1240. The embedded payload was detected by ClamAV as 'Pdf.Tool.Agent-1388586' and the extracted artifact as 'Win.Trojan.MSShellcode-6360730-0'. This suggests the document is a dropper for a malicious executable.

Heuristics 11

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
pdf
a6bbdc48e40c4901663957c6adddf4900ebe60030524a71f25b8a4a453e373d3		 pdf-embedded-file PDF EmbeddedFile object 81 at offset 0x1BF2C 73802 bytes
Detection
ClamAV: Win.Trojan.MSShellcode-6360730-0
Obfuscation or payload: unlikely
javascript_obj0082_000.js
135d8ff085921b81e04dc360543078fa4091eb102c6c0edfa69b9c2e8675d290		 pdf-javascript-stream PDF /JS object 82 at offset 0x26D09 49 bytes
font_00_sfnt_off000054bc.bin
a82a400238dc1f59ca8236f335b6b04d41c788d85c38de3249bceb700897edec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54BC 8824 bytes
font_01_sfnt_off0000690e.bin
cbff779555ef3ae870c0e7f235ed61b6a7546c53a1d6e652906faf352c86598d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x690E 15596 bytes
font_02_sfnt_off0000910c.bin
1c9f93d767c1415769b678b202d8a321f1e84380648d002a81b0a3fd9f0542f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x910C 15920 bytes
font_03_sfnt_off0000b9f3.bin
f431964c97f3a27ac02a1933773f7b4bd697b6046a4e4804e0f27d3ae28b9529		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9F3 10804 bytes
font_04_sfnt_off0000d2e8.bin
0e262d74664c7b028c8a047814f1dfa545dc2779896d77a78da5add17627e280		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2E8 23324 bytes
font_05_sfnt_off0000feb8.bin
b79c34b8c16753d440981f3a60751a2e5cb4a2820781f5cafaad2d4dc179db6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEB8 35748 bytes
font_06_cff_off0001484e.bin
a9155ff9f0789eb883e595b77608d44acddf2189f9ba72b6afe6397c475d6172		 pdf-font-stream PDF embedded font (cff) at offset 0x1484E 575 bytes
font_07_cff_off00014b6d.bin
78948f054c179a4f81ed70969773c36897ebd3f2ad8b29887b6396ea61fe801e		 pdf-font-stream PDF embedded font (cff) at offset 0x14B6D 1681 bytes
font_08_cff_off000152bb.bin
cfcf7fe0f8af0f40ad07183b90839c8fb7d77515d36ab6c8755c767bd9cc24ba		 pdf-font-stream PDF embedded font (cff) at offset 0x152BB 2401 bytes
font_09_cff_off00015bc0.bin
f893ce13e1bf2fe2e6458197afc13ec7ca9b26bd2b68c9fbc92241d4a221b3b9		 pdf-font-stream PDF embedded font (cff) at offset 0x15BC0 623 bytes
font_10_cff_off00015f16.bin
45c4295253fc75b426f2347c277db59c28335727e51c8db0ef7740076294be3b		 pdf-font-stream PDF embedded font (cff) at offset 0x15F16 3166 bytes
font_11_cff_off00016be1.bin
797a293324e72ab2ae1e64f3f4c835f7f8daa34dc3257ae8ab7bc86470a95f7a		 pdf-font-stream PDF embedded font (cff) at offset 0x16BE1 8979 bytes
font_12_cff_off0001850b.bin
f0482c88e2cf483e40de3e77eec38fc5a2f9916e2e29b93077c7f60c9f3913c6		 pdf-font-stream PDF embedded font (cff) at offset 0x1850B 666 bytes
font_13_cff_off0001886b.bin
6419487e1ec6d6618ceb3d7a4618766fa244b541dbfaca36ea79ead0e3c58e5b		 pdf-font-stream PDF embedded font (cff) at offset 0x1886B 1018 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.