Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5d727ba2db61bda…

MALICIOUS

PDF

221.5 KB Created: 2009-12-02 08:12:33 -08:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 8.1.0 (Windows))
MD5: 195360aa2c427b136cc6cfb25c3a7a61 SHA-1: eca6bc69b64324620b4510ac405be796371f9e33 SHA-256: f5d727ba2db61bdabc04941df9964f713199127fda52e38509d67d876339f2f5
384 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

This PDF file exploits CVE-2010-1240 via a launch action that executes cmd.exe. The command-line parameters indicate that it attempts to execute an embedded PE payload. ClamAV detections confirm the malicious nature of both the PDF and the extracted payload. The embedded executable is likely a secondary stage downloader or dropper.

Heuristics 10

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\pdf.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Exploit.Agent-17559 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-17559
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0163_000.js
43c541c654fef21cf523c77fa0bd58c79db84e77b5febae0582d6bdff7dc683a		 pdf-javascript-stream PDF /JS object 163 at offset 0x37204 52 bytes
stream_014_off0000d689.bin
dca245cedcf22d5b26267e22d36eac9268cec5a9e9f27c8236eec5123a66a74f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD689 4666 bytes
stream_053_off000324ff.bin
df0fc3036d9d7a34674225c8ff547fbdfc83b4d41c7101577a861acc4de0ea59		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x324FF 37888 bytes
Detection
ClamAV: Win.Trojan.MSShellcode-6360728-0
Obfuscation or payload: unlikely
font_00_cff_off00000d3a.bin
b0c5c9e3163b7417b7ede0d8237d4fb0e25a00c9404f12156bea3c9f20d22c78		 pdf-font-stream PDF embedded font (cff) at offset 0xD3A 6111 bytes
font_01_cff_off00002c8a.bin
f4eeda6e5d2cb9bbcf05b224c5d7fae5cfdae199c52f025323300cbebe7f7a8b		 pdf-font-stream PDF embedded font (cff) at offset 0x2C8A 5384 bytes
font_02_sfnt_off00004394.bin
1d323dae2cd4830cc9befa2da6f0bda00ed884a90bb0e84badc369384ce1198e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4394 9080 bytes
font_03_sfnt_off00021519.bin
190305fcc6034e92e35594b4a7d887b23148a835a99328630372f1cfcf4fe41b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21519 23776 bytes
font_04_cff_off00023df9.bin
73f557a71b8ecfed208c3d13f501aa1c9568932c4a091b68351e88294f42051f		 pdf-font-stream PDF embedded font (cff) at offset 0x23DF9 12355 bytes
font_05_sfnt_off00026bfb.bin
67468f5cf48b0e46d6d125ca4955e7655cef9ec7d4c43f4fb86bff5c71daae6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26BFB 5884 bytes
font_06_cff_off0002827d.bin
0c6896733810b9242586ca373541c3ebdde6e5a91b53b588f7e687690fa1f0d2		 pdf-font-stream PDF embedded font (cff) at offset 0x2827D 5526 bytes
font_07_sfnt_off0002984b.bin
8e7b88b0245cd71bc38839e5fba3f7917a9a4065fb031442f6ee84a73775e8b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2984B 21736 bytes
font_08_sfnt_off0002b8fa.bin
4c487e09361a14da36cfae1dc1a85eb0ef677e44026c076ec3bc08b79beb7afb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B8FA 23480 bytes
font_09_cff_off0002da9b.bin
852f9f7434f94b437d2db4145a4c638f64baad01373c6ddef2ecae7dbd0dd920		 pdf-font-stream PDF embedded font (cff) at offset 0x2DA9B 6968 bytes
font_10_cff_off0002f86b.bin
8b5e0d718003c46a9c478822a887647f1e47ff4f5259855735ac812464d310d0		 pdf-font-stream PDF embedded font (cff) at offset 0x2F86B 3898 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.