Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc9ca54f64c94dd4…

MALICIOUS

PDF

109.2 KB Authoring application: cairo 1.7.4 (http://cairographics.org
MD5: dbb503d3b1f82849a76e559e852d4df2 SHA-1: 50c7658ae421496e53bc95d6c658221967be9991 SHA-256: dc9ca54f64c94dd47be15f0c475b4d02193c70fab11ebdfc2cc1ca431176797b
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and a critical heuristic firing for PDF_LAUNCH_COMMAND indicates that Cmd.EXE is being launched with parameters that suggest execution of an embedded payload. The PDF_EMBEDDED_PE_PAYLOAD heuristic confirms a Windows executable is present within the PDF stream. The embedded executable is the primary payload, likely delivered via a spearphishing attachment.

Heuristics 8

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: Cmd.EXE critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\test.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cairographics.org

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0096_000.js
b1a09f919e0f5d1c1d284849c9af93bae6fd1411634dfdc491e126f9cd327f3f		 pdf-javascript-stream PDF /JS object 96 at offset 0x1B086 53 bytes
stream_026_off000199e8.bin
d99025bd25af8ab78d97269d81f00b8de749b5e7e7fd064c278b80d4d8e59e9b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x199E8 18144 bytes
font_00_sfnt_off0000a47c.bin
ffa975e444309aebf63087f3372274e1fd05a3b85a460f0c6a855bdc7113c769		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA47C 12956 bytes
font_01_sfnt_off0000cf57.bin
2851bc3374b9c02cc1131d2e60acd2be985d12500167557e434aea7b813ffea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF57 23504 bytes
font_02_sfnt_off00011762.bin
716a68784192bd9b2407ec84c2b43eea85b119a8f83097233f5b893eff7601f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11762 16892 bytes
font_03_sfnt_off00014d10.bin
661b5ab8b79bed39fb077069230bed3c4fef1ec7b66f26711c6735d5964187ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D10 10680 bytes
font_04_sfnt_off00017024.bin
774840a6a84af5d7c37f05ceef2629c139a9eca873339dd9e3b1226aa5487008		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17024 4488 bytes
font_05_sfnt_off000181df.bin
257507ce0ea20492f410111dbfa2e235e1ad6f7edab9fec531ae3412c661965e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181DF 3820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.