PDF malware analysis — malicious · fac28409672cd875

MALICIOUS

PDF

33.3 KB Created: 2008-11-27 10:13:45 Authoring application: PScript5.dll Version 5.2.2 (via GPL Ghostscript 8.15)

MD5: 1e39eaabf137c4dbb53e3fe887f69478 SHA-1: c44a5d2634f974a581c6be7a007d66a965e78759 SHA-256: fac28409672cd875d373e4162e2a8ea15683e76bd17c4cffdbe7e735615bc1f6

404 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1566.002 Phishing: Spearphishing Attachment

The PDF contains a critical PDF_LAUNCH heuristic firing indicating a launch action targeting cmd.exe, exploiting CVE_2010_1240. This action is designed to execute a second-stage payload, identified as a Windows executable (Win.Trojan.Swrort-9886728-0) embedded within the PDF. The PDF also exhibits characteristics of a phishing lure, with an image-only document and an action trigger, suggesting a user is tricked into opening the malicious PDF and triggering the exploit.

Heuristics 10

Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240

PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\hacktest.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 33 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0025_000.js` `67ddb84ce0a1af87e3e61d0da8c2a9ddf427d576c0f6208aa71e272dca87d262`	pdf-javascript-stream	PDF /JS object 25 at offset 0x80DD	57 bytes
`stream_002_off000049a6.bin` `a88a872c28d831a3e607cc2f6fe087e765b9b74ceb697fa9b63fc35ea88b6012`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x49A6	25900 bytes
`stream_004_off00007c35.bin` `682aefb2f52da46969ac338c0acb91cd7a4e0e975b7549349a975d3faec649e3`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x7C35	11776 bytes
Detection ClamAV: Win.Trojan.Swrort-9886728-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.