Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef57c18122dd71b0…

MALICIOUS

PDF

666.8 KB Created: 1999-12-26 15:37:45 Authoring application: TeX (via Aladdin Ghostscript 5.50)
MD5: e302faa0315b07d954d055bd3ce8b4ab SHA-1: 77b682dc24b2bde668f8db3f5090fa81fcc8472b SHA-256: ef57c18122dd71b095e928df93f2097ed6de31665f140d31f9d485ac6b5f657f
598 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript that triggers a launch action, specifically targeting cmd.exe. This action is designed to execute a Windows executable payload that is also embedded within the PDF, masquerading as 'c:R-intro.pdf'. The ClamAV detection of 'Pdf.Tool.Agent-1388586' and 'Win.Trojan.Swrort-5710536-0' on the extracted artifact further confirms its malicious nature. The embedded JavaScript and launch action indicate an attempt to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9874

Heuristics 16

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\c:\R-intro.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded attachment masquerades: declared document, content is windows-executable critical PDF_EMBEDDED_FILESPEC_CONTENT_MISMATCH
    An /EmbeddedFile attachment's declared filename extension or /Subtype MIME type contradicts the magic bytes of its decompressed content. The attachment is declared as a benign document or image but the bytes are an executable or executable-bearing archive. This is a deliberate deception used to hide droppers in PDF attachments and is a generic indicator of embed-and-drop weaponisation, independent of any specific CVE.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ggobi.org/
    • http://www.ggobi.org/rggobi
    • http://CRAN.R-project.org
    • http://CRAN.R-project.org/
    • http://www.bioconductor.org/
    • http://ESS.R-project.org

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
cR-intro.pdf
badb8f1df8752da73ad08a3248ba622afa17715c0ad847fee3b1185111372d54		 pdf-embedded-file PDF EmbeddedFile object 1654 at offset 0x9D9D3 61440 bytes
Detection
ClamAV: Win.Trojan.Swrort-5710536-0
Obfuscation or payload: unlikely
javascript_obj1655_000.js
be67042d4bdacba63b45ab2c10a6846eb2326d201f2c30f07234607a55f74534		 pdf-javascript-stream PDF /JS object 1655 at offset 0xA66F4 58 bytes
stream_114_off0006cb63.bin
7e10555220c4ae44ee25adee594f24d484ec36b6b2350925b7c2c6c46b5e41bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6CB63 11342 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
stream_117_off00070c20.bin
4b4852b147e285f80c5200a3bdeca9f1a3b32cd00b78a0d4fe338383ac05dc47		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70C20 2861 bytes
stream_122_off0007ad8c.bin
49ca8c086f008e85f50e2e51c9b55a8c2fe8c2026ac60bcf6a4acd3f7eb7ac31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7AD8C 9733 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
stream_124_off0007daf4.bin
2113bd6219ad3befb7a1c5dae703905d672d59dc521c4b7b0b1fb555263d1bf3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7DAF4 8772 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_00_type1_off000675b0.bin
3094825b5ce890f712e15e00639dcaaf89332e918ec2c752958143c70d2b9fe6		 pdf-font-stream PDF embedded font (type1) at offset 0x675B0 14517 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_01_type1_off0006ad62.bin
c09210d295e4d4d9dbb74b093e020f865083332b7bb7338196f1ae5171bef3d4		 pdf-font-stream PDF embedded font (type1) at offset 0x6AD62 1931 bytes
font_02_type1_off0006b56d.bin
f1588eabbd670e98523666c1c3c04b712c1b3697d47a5408739062620b33659c		 pdf-font-stream PDF embedded font (type1) at offset 0x6B56D 3310 bytes
font_03_type1_off0006c2a7.bin
d5404eb74f2fe6b252ee95d36c847601169ade156df241fb1686b184793a1839		 pdf-font-stream PDF embedded font (type1) at offset 0x6C2A7 2095 bytes
font_05_type1_off0006f751.bin
7fa1975cfb5e221517c20cc8bc89f772ad59ad1fca5dc1ea37307406733dc851		 pdf-font-stream PDF embedded font (type1) at offset 0x6F751 1734 bytes
font_06_type1_off0006fe93.bin
fffc7ab8e0f0b59baa3cd48815c1c2a80d395dcb7a8d93956fd32b984aee31f2		 pdf-font-stream PDF embedded font (type1) at offset 0x6FE93 3376 bytes
font_08_type1_off000717bb.bin
7977613468e73be9e77eadb5274aae8acf86e86a96bc30f3273f9f6ce1fa86f1		 pdf-font-stream PDF embedded font (type1) at offset 0x717BB 18521 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_09_type1_off00075ede.bin
569e3874942341e79b54a7e474d51613fa4326e4add76424de02a044bf6cacb0		 pdf-font-stream PDF embedded font (type1) at offset 0x75EDE 2834 bytes
font_10_type1_off00076a5f.bin
6b2c9c9662d638cdb4048836bf9410dff4586924e8b7a9cd8eb108304bc0665f		 pdf-font-stream PDF embedded font (type1) at offset 0x76A5F 2422 bytes
font_11_type1_off00077445.bin
9a5e2064f194560c4c269c9f6dae2d324c3782846c6996f7d4698cec6ee9ede8		 pdf-font-stream PDF embedded font (type1) at offset 0x77445 14936 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_13_type1_off0007d324.bin
602421b087b572a35685d8095011114746a50db26496bda74ac882a4352e2291		 pdf-font-stream PDF embedded font (type1) at offset 0x7D324 1870 bytes
font_15_type1_off0007fcd1.bin
3eaf0a1541e53aa5c72e7729e97c4ea043a8a73637a71bf26258920531129d32		 pdf-font-stream PDF embedded font (type1) at offset 0x7FCD1 2888 bytes
font_16_type1_off00080894.bin
d38696a0c92f5b1912369ebdf18bbc57461ca270be511ab5ecdd70955506e665		 pdf-font-stream PDF embedded font (type1) at offset 0x80894 1436 bytes
font_17_type1_off00080ea5.bin
72f9ff2c72f16f3bf48d4016a4532a5602bbb802237a5900bd736de7cdf31b69		 pdf-font-stream PDF embedded font (type1) at offset 0x80EA5 12940 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_18_type1_off00084096.bin
0313912b21cab1b37ba37b64fcdfad1b66e0e6dd1fe54e69acd2b5b7bd57234a		 pdf-font-stream PDF embedded font (type1) at offset 0x84096 4650 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.77, consistent with packed or encrypted content.
font_19_type1_off000852ec.bin
a64e5393bcc817dc708d2b5578eb03334a55afc91a1d9eec90e02622b4356ee8		 pdf-font-stream PDF embedded font (type1) at offset 0x852EC 17425 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
font_20_type1_off000895d8.bin
e989a770203bd1bf3cac6acc62989a688c50f6ce1cc068cc6a50c3289ebc6a36		 pdf-font-stream PDF embedded font (type1) at offset 0x895D8 6182 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
font_21_type1_off0008adf3.bin
23b64e9facef1af0e00bded7422448d105af2b6909a3407f5428ad711e076e45		 pdf-font-stream PDF embedded font (type1) at offset 0x8ADF3 11016 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_22_type1_off0008d86b.bin
fad4e5fb60378fe8e8592ab9e4033f5d44c062aa2dbbd1047c568389f5fed1c6		 pdf-font-stream PDF embedded font (type1) at offset 0x8D86B 2037 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.