Malicious PDF — malware analysis report

Static analysis result for SHA-256 dae9bcefb4d2a325…

MALICIOUS

PDF

318.6 KB Created: 2010-02-08 18:51:50 +01:00 Authoring application: TeX (via pdfTeX-1.40.3)
MD5: 2183c7ae4149c7075e40a8f759bf285f SHA-1: 1c9cb274bda2ba1c6d2471c88f2906713c1eb65d SHA-256: dae9bcefb4d2a3252d90f3d24310a17fd85a510ca04d816243821bcc6ac7f2cb
428 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that executes cmd.exe, exploiting CVE-2010-1240. This action is designed to download and execute a secondary payload, as indicated by the critical heuristic firings and the ClamAV detection of an embedded PE payload. The embedded executable was detected as Win.Trojan.Rozena-736, and the PDF itself was detected as Pdf.Tool.Agent-1388586.

Heuristics 13

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\polipo.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://internet.junkbuster.com/
    • http://www.privoxy.org/
    • http://zipper.paco.net/~igor/oops.eng/
    • http://www.opera.com/
    • http://www.mozilla.org
    • http://www.debian.org
    • http://www.squid-cache.org/
    • http://www.apache.org/
    • http://www.gedanken.demon.co.uk/wwwoffle/
    • http://tor.eff.org
    • https://www.torproject.org/torbutton/
    • http://home.t-online.de/home/Moestl/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0870_000.js
9c9d4e989248221b06bb546eb2bbb6d44cb9901f7ac22e3ac95c0216f640502b		 pdf-javascript-stream PDF /JS object 870 at offset 0x4F691 55 bytes
stream_035_off0002cb8b.bin
3f3016da3d6b20672e4a194cbe55ee85bb8421e5b1028b158e3d359d3646ca29		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2CB8B 1734 bytes
stream_037_off0002da02.bin
ef0150165269e05cc5aaa2bdbe90a34033fa99d0e21b27f88c9e69d613c92ab7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DA02 1734 bytes
stream_042_off00038784.bin
35f6f377b01d3719eaf7a4c286d557ee14d92551ad2b805ab2b1027a04dc913a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38784 3938 bytes
stream_046_off0003c988.bin
7f915a2d2454d86c4d18929fbadd1277e41b6b002c2707f740cc71c85586f79c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3C988 15293 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
stream_047_off0004044b.bin
b5bf23f7cc994344544888951bd29cc953f276b19f6cf6fbb2d21ea7d2605339		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4044B 11021 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
stream_048_off0004a9b6.bin
2cee9f1fc75c499a615c724c1352cea43e258c91349b1d73aebcf4d5474b6269		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A9B6 37888 bytes
Detection
ClamAV: Win.Trojan.Rozena-736
Obfuscation or payload: unlikely
font_01_type1_off0002d2c4.bin
7fa1975cfb5e221517c20cc8bc89f772ad59ad1fca5dc1ea37307406733dc851		 pdf-font-stream PDF embedded font (type1) at offset 0x2D2C4 1734 bytes
font_03_type1_off0002e141.bin
7fa343986f3fd97d1c267dcd206c9387d089796aece3a580cd1c18d45efdcfaf		 pdf-font-stream PDF embedded font (type1) at offset 0x2E141 17405 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_04_type1_off0003240d.bin
38ed21d120a164c314133994a40342b8575739b9669bec1d1d351dde831c93d6		 pdf-font-stream PDF embedded font (type1) at offset 0x3240D 2913 bytes
font_05_type1_off00032fde.bin
10561f464965b8f78840f03db39510b7041953ab7982483558ab5fa45f8dcf51		 pdf-font-stream PDF embedded font (type1) at offset 0x32FDE 14156 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
font_06_type1_off00036638.bin
be18758e222f05f561ab389f85ad7bdcd3232e5915d05e43677322ddcc468456		 pdf-font-stream PDF embedded font (type1) at offset 0x36638 8602 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_08_type1_off0003971f.bin
c8562132561c433be11edfc8fbab9e1768be5be9bff58f934b228047c502d39e		 pdf-font-stream PDF embedded font (type1) at offset 0x3971F 3634 bytes
font_09_type1_off0003a583.bin
86f632017c4a40ffcd0303a1f12fba71079f9d524db8f2083cc0e469dddea973		 pdf-font-stream PDF embedded font (type1) at offset 0x3A583 1484 bytes
font_10_type1_off0003abc4.bin
bb5ddbd42493c56c76dae04944735c340a4d0ace634bb2cd4c0065d2ee13c08b		 pdf-font-stream PDF embedded font (type1) at offset 0x3ABC4 7629 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.