Cuckoo Sandbox

File malicious.pdf

Summary
Download Resubmit sample

Size	6.5KB
Type	PDF document, version 1.5
MD5	`46c7eb46f3eabe1183f431b02af1f76b`
SHA1	`642dabf60e35f838585daef700218a42cc6f9cf5`
SHA256	`c884dea7216ea3698c5c6e16106c321fe02316a3078f49fa9ded919fce9c959b`
SHA512	`2a6a74ae6d091ed6a05f766af086ba5e765071abd8878f29926303e248fcdced468a6563351e2d7eb6f005d347a98a4e29969b13964fc1221124e6af629837fe`
CRC32	`642E1F98`
ssdeep	`None`
Yara	suspicious_obfuscation - (no description) invalid_trailer_structure - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	May 24, 2025, 10:05 p.m.	May 24, 2025, 10:06 p.m.	58 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-05-24 22:05:08,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpdyrg_l
2025-05-24 22:05:08,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\gOdUIKWLkGyrCJAkl
2025-05-24 22:05:08,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\PukgUfZAXVPOQeUIZWW
2025-05-24 22:05:08,265 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-24 22:05:08,265 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-24 22:05:08,703 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-24 22:05:08,890 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-05-24 22:05:08,890 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-24 22:05:08,890 [analyzer] DEBUG: Started auxiliary module Human
2025-05-24 22:05:08,890 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-24 22:05:08,890 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-24 22:05:08,967 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-24 22:05:08,967 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-24 22:05:08,983 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-24 22:05:08,983 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-24 22:05:09,140 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\malicious.pdf'] and pid 624
2025-05-24 22:05:09,312 [analyzer] DEBUG: Loaded monitor into process with pid 624
2025-05-24 22:05:10,921 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
2025-05-24 22:05:11,078 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
2025-05-24 22:05:11,108 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
2025-05-24 22:05:11,125 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Local\Adobe\Color\ACECache10.lst
2025-05-24 22:05:14,796 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
2025-05-24 22:05:14,796 [analyzer] INFO: Added new file to list with pid 624 and path C:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
2025-05-24 21:06:00,178 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-05-24 21:06:00,398 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 624.
2025-05-24 21:06:00,648 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-24 21:06:00,648 [lib.api.process] INFO: Successfully terminated process with pid 624.
2025-05-24 21:06:00,678 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\roaming\\adobe\\acrobat\\9.0\\shareddataevents-journal' does not exist, skip.
2025-05-24 21:06:00,694 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-24 22:05:13,420 [cuckoo.core.scheduler] INFO: Task #6512593: acquired machine win7x6430 (label=win7x6430)
2025-05-24 22:05:13,421 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.230 for task #6512593
2025-05-24 22:05:13,742 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3220769 (interface=vboxnet0, host=192.168.168.230)
2025-05-24 22:05:13,772 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6430
2025-05-24 22:05:14,421 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6430 to vmcloak
2025-05-24 22:05:22,566 [cuckoo.core.guest] INFO: Starting analysis #6512593 on guest (id=win7x6430, ip=192.168.168.230)
2025-05-24 22:05:23,572 [cuckoo.core.guest] DEBUG: win7x6430: not ready yet
2025-05-24 22:05:28,600 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6430, ip=192.168.168.230)
2025-05-24 22:05:28,672 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6430, ip=192.168.168.230, monitor=latest, size=6660546)
2025-05-24 22:05:30,011 [cuckoo.core.resultserver] DEBUG: Task #6512593: live log analysis.log initialized.
2025-05-24 22:05:30,852 [cuckoo.core.resultserver] DEBUG: Task #6512593 is sending a BSON stream
2025-05-24 22:05:31,276 [cuckoo.core.resultserver] DEBUG: Task #6512593 is sending a BSON stream
2025-05-24 22:05:32,166 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0001.jpg'
2025-05-24 22:05:32,178 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 133495
2025-05-24 22:05:33,283 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0002.jpg'
2025-05-24 22:05:33,295 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 125304
2025-05-24 22:05:34,494 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0003.jpg'
2025-05-24 22:05:34,551 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 139773
2025-05-24 22:05:35,627 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0004.jpg'
2025-05-24 22:05:35,640 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 39098
2025-05-24 22:05:41,894 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0005.jpg'
2025-05-24 22:05:41,900 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 37380
2025-05-24 22:05:44,563 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6512593 still processing
2025-05-24 22:05:59,646 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6512593 still processing
2025-05-24 22:06:00,554 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'curtain/1748113560.54.curtain.log'
2025-05-24 22:06:00,557 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 36
2025-05-24 22:06:00,657 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'sysmon/1748113560.65.sysmon.xml'
2025-05-24 22:06:00,662 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 144174
2025-05-24 22:06:00,672 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'files/96a6a6ecfc2d93b1_wscrgb.icc'
2025-05-24 22:06:00,675 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 66208
2025-05-24 22:06:00,676 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'files/ea4ca60bb8343c1f_wsrgb.icc'
2025-05-24 22:06:00,678 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 2676
2025-05-24 22:06:00,685 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'files/2ef275e7c75f8070_acecache10.lst'
2025-05-24 22:06:00,688 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 1946
2025-05-24 22:06:00,693 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'files/9f840dcd3e1cce13_shareddataevents'
2025-05-24 22:06:00,695 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 3072
2025-05-24 22:06:00,702 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'files/2cbbfbe12768f624_usercache.bin'
2025-05-24 22:06:00,704 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 69063
2025-05-24 22:06:01,573 [cuckoo.core.resultserver] DEBUG: Task #6512593: File upload for 'shots/0006.jpg'
2025-05-24 22:06:01,584 [cuckoo.core.resultserver] DEBUG: Task #6512593 uploaded file length: 133477
2025-05-24 22:06:01,602 [cuckoo.core.resultserver] DEBUG: Task #6512593 had connection reset for <Context for LOG>
2025-05-24 22:06:02,659 [cuckoo.core.guest] INFO: win7x6430: analysis completed successfully
2025-05-24 22:06:02,673 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-24 22:06:02,700 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-24 22:06:03,664 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6430 to path /srv/cuckoo/cwd/storage/analyses/6512593/memory.dmp
2025-05-24 22:06:03,665 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6430
2025-05-24 22:06:11,309 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.230 for task #6512593
2025-05-24 22:06:11,597 [cuckoo.core.scheduler] DEBUG: Released database task #6512593
2025-05-24 22:06:11,615 [cuckoo.core.scheduler] INFO: Task #6512593: analysis procedure completed

Signatures

Yara rules detected for file (2 events)

description	(no description)				rule	suspicious_obfuscation
description	(no description)				rule	invalid_trailer_structure

The PDF file contains JavaScript code (1 event)

Javascript code

The PDF file contains an open action (1 event)

Open action

<< /Type /Action /S /JavaScript /JS 6 0 R >>

The PDF open action contains JavaScript code (1 event)

Open action

<< /Type /Action /S /JavaScript /JS 6 0 R >>

A potential heapspray has been detected. 725 megabytes was sprayed onto the heap of the AcroRd32.exe process (1 event)

count

1450

name

heapspray

process

AcroRd32.exe

total_mb

725

length

524288

protection

PAGE_READWRITE

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Exploit.PDF-Name.2.Gen (Engine A)
Avast Core Security (Linux)	JS:Pdfka-AK [Expl]
C4S ClamAV (Linux)	Pdf.Dropper.Agent-7478802-0
Trend Micro SProtect (Linux)	TROJ_FRS.0NA103DH24
Trellix (Linux)	Exploit-PDF.bk.gen trojan
WithSecure (Linux)	Malware.HTML/Malicious.PDF.Gen3
eScan Antivirus (Linux)	Exploit.PDF-Name.2.Gen(DB)
ESET Security (Windows)	JS/Exploit.Pdfka.NOO trojan
Sophos Anti-Virus (Linux)	Troj/PDFJs-AGQ
ClamAV (Linux)	Pdf.Dropper.Agent-7478802-0
Bitdefender Antivirus (Linux)	Exploit.PDF-Name.2.Gen
Kaspersky Standard (Windows)	Exploit.JS.Pdfka.cil
Emsisoft Commandline Scanner (Windows)	Exploit.PDF-Name.2.Gen (B)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.PDF.Name.3!c
ClamAV	Pdf.Dropper.Agent-7478802-0
CTX	pdf.exploit-kit.pdfka
CAT-QuickHeal	PDF.JS.Gen.A
Skyhigh	BehavesLike.PDF.Exploit.xb
ALYac	Exploit.PDF-Name.2.Gen
Cylance	Unsafe
VIPRE	Exploit.PDF-Name.2.Gen
Arcabit	Exploit.PDF-Name.2.Gen
Baidu	JS.Exploit.Pdfka.adb
Symantec	Bloodhound.Exploit.213
ESET-NOD32	JS/Exploit.Pdfka.NOO
TrendMicro-HouseCall	TROJ_FRS.0NA103DH24
Avast	JS:Pdfka-AK [Expl]
Cynet	Malicious (score: 99)
Kaspersky	Exploit.JS.Pdfka.cil
BitDefender	Exploit.PDF-Name.2.Gen
NANO-Antivirus	Exploit.Script.IframeBof.gqjs
MicroWorld-eScan	Exploit.PDF-Name.2.Gen
Rising	Malware.UDM!0.188E06 (CLASSIC)
Emsisoft	Exploit.PDF-Name.2.Gen (B)
F-Secure	Malware.HTML/Malicious.PDF.Gen3
TrendMicro	TROJ_FRS.0NA103DH24
Sophos	Troj/PDFJs-AGQ
SentinelOne	Static AI - Malicious PDF
Google	Detected
Avira	HTML/Malicious.PDF.Gen3
Xcitium	Malware@#2q39e40knoez7
Microsoft	Exploit:JS/ShellCode.gen
ViRobot	PDF.Exploit.CVE-2008-2992.A
ZoneAlarm	Mal/PDFEx-D
GData	Exploit.PDF-Name.2.Gen
Varist	ShellCode.AX.gen
AhnLab-V3	Exploit/PDF.Generic.S1213
McAfee	Exploit-PDF.bk.gen
Ikarus	Trojan.JS.Pdfka
Tencent	Heur:Trojan.Script.LS_Gencirc.7033944.25
MaxSecure	Virus.PDF.Pidief.zm
Fortinet	PDF/Script.JSS!exploit
AVG	JS:Pdfka-AK [Expl]
alibabacloud	Exploit:Javascript/Pdfka.NPX