Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff3803c02071bdff…

MALICIOUS

PDF

422.7 KB Created: 2010-03-05 23:54:55 Authoring application: Microsoft® Office Word 2007
MD5: 12deb3221a1878a24401c7b1f57d42f5 SHA-1: 966c7b4df792492f2df013af61a483e09057f405 SHA-256: ff3803c02071bdff84e329cb208c713b4bdd310cb9f8d8fabd1f21cc64ca2225
364 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1566.002 Phishing: Spearphishing Attachment

This PDF file contains embedded JavaScript and a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute arbitrary code. Specifically, it leverages CVE-2010-1240 to launch cmd.exe with parameters that appear to prepare for executing an embedded PE payload. The ClamAV detection further confirms its malicious nature. The primary attack vector is likely a phishing attempt where the user is tricked into opening the malicious PDF.

Heuristics 9

  • Adobe Reader Launch action command execution critical CVE exact CVE_2010_1240
    PDF uses the Adobe Reader/Acrobat Launch action pattern associated with CVE-2010-1240: cmd.exe is invoked with attacker-controlled parameters, paired with an embedded/exported payload.
  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C (if exist "%HOMEPATH%\\My Documents\\zimbra.pdf" (cd "%HOMEPATH%\\My Documents"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Exploit.Agent-23598 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-23598
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0148_000.js
b8552cd76cb68f09d9a738e5c24d94a0fef2d69bbb8c94463a68b3332315e807		 pdf-javascript-stream PDF /JS object 148 at offset 0x69581 55 bytes
stream_001_off000008ef.bin
980bf8b14ecfc2a3d60f250440759d350da7c37709448377fceeaadd723acb89		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8EF 240690 bytes
stream_025_off000454e5.bin
a88627101f0cc220250baf96aea8548422e35ed6851bce80eea372741e1a54e7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x454E5 142676 bytes
stream_029_off00062f06.bin
26fd45b149f0c4e1184db293873ca10b743f69676e0b29021ab5c0840430e9d2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x62F06 87552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.