MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1204.002 Malicious File
The PDF contains a launch action that executes cmd.exe with a complex command string. This command string appears to search for specific strings within PDF files, process them using 'debug', rename the output to an executable, and then start it. This indicates an attempt to download and execute a secondary payload.
Machine Learning
- Nyx PDF Classifier clean score 0.1800
Heuristics 4
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: c:\\windows\\system32\\cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/C findstr deinckqmjp *.pdf > sfntc.src && debug < sfntc.src > out.txt && rename ouite.txt ouite.exe && start ouite.exe' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pacer.psc.uscourts.gov
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Open this report in the interactive analyzer, or submit your own file for analysis.