PDF malware analysis — malicious · ec5eab5c9ed5f777

MALICIOUS

PDF

654.5 KB Created: 2006-04-07 16:59:06 -04:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))

MD5: 04dd56cfcaa39c7f4f2c79ca23f54dba SHA-1: 2357aa28dbf237c7894e8b583070e2cdad87af7e SHA-256: ec5eab5c9ed5f777348cd0812dedf530e37751dd7aa6751d58c5ddaa73906d5b

272 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that executes cmd.exe with specific parameters. This indicates an attempt to exploit CVE-2010-1240 to run commands. The command execution targets a file named 'LovePoems2.pdf' on the Desktop, suggesting a lure or a second-stage payload. The ClamAV detection 'Pdf.Tool.Agent-1388586' further confirms its malicious nature. The embedded JavaScript and launch action strongly suggest the intent to download and execute further malicious content.

Heuristics 9

Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240

PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\LovePoems2.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj1002_000.js` `8f9af84a0037b87b06ac0ad0c089eb8cd2c23893c373bb22bad0c092d44cf158`	pdf-javascript-stream	PDF /JS object 1002 at offset 0xA352F	59 bytes
`stream_105_off0002bb53.bin` `e48af96d0eb0dac8731312e3c9e267f4e4d42443602333e7c4475ff5573cf2ab`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2BB53	166932 bytes
`icc_00_off000092cc.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x92CC	3144 bytes
`font_00_sfnt_off00000d48.bin` `f2b324159434f30178e28b4c144bb54fdb83eb2058992def1e9b0bf7d7236379`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD48	20756 bytes
`font_01_sfnt_off00021907.bin` `da1d205d78d0ac090e49c9de739c9b454f3fe68f026ac5e3086083b04d52d93d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21907	7984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.