PDF malware analysis — malicious · f6012406e6634d94

MALICIOUS

PDF

2.21 MB Created: 2014-10-07 14:48:58 -04:00 Authoring application: Adobe InDesign CC 2014 (Macintosh) (via Adobe PDF Library 11.0)

MD5: 7f29183f06380a6f804e46d120a5ad3c SHA-1: 6f12f3d8749f8a3bc1a350d740806847aab65f7a SHA-256: f6012406e6634d944b6555a368cf48e28471b1955eef070b87756fb5b80c7136

394 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript and a launch action that targets cmd.exe, indicating an attempt to execute a payload. A critical heuristic identified an embedded PE executable payload within a PDF stream, and ClamAV detected it as Win.Trojan.Swrort-5710536-0. The PDF also includes a launch command that attempts to change directory and potentially execute further commands. The presence of these elements strongly suggests a malicious intent to deliver and execute a secondary payload.

Heuristics 13

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\Invoice.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
QR-code redirect lure medium SE_QR_LURE

Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/exif/1.0/aux/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/camera-raw-settings/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
- http://www.exacttarget.com/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#
- http://ns.adobe.com/illustrator/1.0/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0221_000.js` `874bee961f8ca9ee6fa78efe17c8baef62f737fe1d7cdaa2fa6c6f77c9d4cf6d`	pdf-javascript-stream	PDF /JS object 221 at offset 0x234E6C	56 bytes
`stream_006_off00003b46.bin` `f99f0dcae9357e26adb9138f590017f1c1f204d35e6d77ba2758cd22c210e126`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3B46	9515 bytes
`stream_096_off0022a216.bin` `b32793651c61e2a9cded1ae37dea1a696efd4a48c234bb4328373fa1ad9e1a8e`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x22A216	73802 bytes
Detection ClamAV: Win.Trojan.Swrort-5710536-0 Obfuscation or payload: unlikely
`icc_00_off00001d14.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x1D14	3144 bytes
`font_00_cff_off00002778.bin` `6651031fba957d12dca5667b8bcd4465743ec5ebc6f65e8967b72bccfbfe7a04`	pdf-font-stream	PDF embedded font (cff) at offset 0x2778	5999 bytes
`font_02_cff_off00005dbf.bin` `0d65536d0cce939d5e588e77c9d54995f6aca8f87d9877f4a2a876f72b2c5fb2`	pdf-font-stream	PDF embedded font (cff) at offset 0x5DBF	987 bytes
`font_03_cff_off0021ca98.bin` `5c2d08ba09eedc16d0e3077f6589d11a328cb2ef5d2937bbabbbf7658013c5ba`	pdf-font-stream	PDF embedded font (cff) at offset 0x21CA98	5723 bytes
`font_04_cff_off0021e032.bin` `8ea1d3f55963fbe8e7bf3ad3688feb595de8410f1233a9fd47993ac05f3e8ecb`	pdf-font-stream	PDF embedded font (cff) at offset 0x21E032	1930 bytes
`font_05_cff_off00220251.bin` `3719015a016d992cceacc04397c550d5b28edd57aa44459e3e9aac9a311f78d3`	pdf-font-stream	PDF embedded font (cff) at offset 0x220251	1078 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.