Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcede27c2941a2e5…

MALICIOUS

PDF

384.4 KB Created: 2008-05-22 16:39:04 +02:00 Authoring application: (ImageMagick) (via GPL Ghostscript 8.61)
MD5: 1a79ea52ba6803a8dc5ddd89a81005d1 SHA-1: 459bc6553ab272aa2dda8e81fcdf8155a3f5be4e SHA-256: fcede27c2941a2e5932e1ac917703cf26efc4042047241288fbd5391547ca315
326 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF file contains embedded JavaScript and a launch action that targets cmd.exe, indicating an attempt to execute arbitrary commands. Critical heuristics confirm a CVE-2010-1240 exploit targeting Adobe Reader, which chains a launch action with an embedded PE payload. The embedded executable payload (stream_095_off00056e61.bin) is the primary indicator of malicious intent, likely serving as a downloader for further stages.

Heuristics 9

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\test.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0337_000.js
b1a09f919e0f5d1c1d284849c9af93bae6fd1411634dfdc491e126f9cd327f3f		 pdf-javascript-stream PDF /JS object 337 at offset 0x5FDB9 53 bytes
stream_072_off00030252.bin
90570f8106b8b7a4a7f82ae14c63ccedb26a852fcd48f9189c90dec6495b3b44		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30252 4537 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
stream_073_off00031462.bin
9a62cbfa415a1a6090d4dd411c337935aa8e1c69ecf3c7931a5465130bf195a2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31462 13502 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
stream_095_off00056e61.bin
ba208f7657a2fe0ad6cd602ac9d5cd39882e6aa3cfbba8cededf81b79f3f5b94		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x56E61 98304 bytes
font_01_type1_off00034870.bin
afac4dc8820c37c0a02e2eef0c00ab85395848351c51bb2b452c140f5ebd833c		 pdf-font-stream PDF embedded font (type1) at offset 0x34870 4050 bytes
font_02_type1_off0003588d.bin
40b260748efa5b281a7ebe85be475c4c2b9252e1d8e65144f457957767406a53		 pdf-font-stream PDF embedded font (type1) at offset 0x3588D 6619 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
font_03_type1_off0003726f.bin
2c05757ac0f5a1bae03e4a954ea47347c0681c2c31b47760d3f3843464a49c62		 pdf-font-stream PDF embedded font (type1) at offset 0x3726F 1896 bytes
font_04_type1_off00037a53.bin
dfb29444d2ea997bbcc683a355864c73540fdc34009e6263f2385a9f14c249aa		 pdf-font-stream PDF embedded font (type1) at offset 0x37A53 1971 bytes
font_05_type1_off0003826f.bin
b6fbd00a04877eec0e853cbb6b9d758e35d77d1780443c0d382ac500dbd84fa4		 pdf-font-stream PDF embedded font (type1) at offset 0x3826F 4394 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.66, consistent with packed or encrypted content.
font_06_type1_off00039411.bin
3dd23495cd097efb540f9178ba9dfc50f169637a950f36ab9c4ea92f846bb5db		 pdf-font-stream PDF embedded font (type1) at offset 0x39411 1436 bytes
font_07_type1_off00039a20.bin
a831325f9b505cfc8b5c5dd4bd82de3e18ecbaef39c574a6c3d842f21bd5a68a		 pdf-font-stream PDF embedded font (type1) at offset 0x39A20 2072 bytes
font_08_type1_off000535ca.bin
281687fc5d60fa9f8440986d556dce44eec4e23220b2e4c346ffd748b6c309f9		 pdf-font-stream PDF embedded font (type1) at offset 0x535CA 2351 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.