Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d3461d8b3f485eb…

MALICIOUS

PDF

2.1 KB
MD5: ba6e22bfbcfbd20e614ef560afa439b4 SHA-1: d33da4834012eff669ec2e502524a7f4f17f4d45 SHA-256: 0d3461d8b3f485ebaa5960e65bbd5f4d781a259700f338481dd1a884730234ad
132 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains a launch action that executes cmd.exe, which in turn attempts to download a file from http://127.0.0.1/calc1.exe. This indicates the document is designed to exploit the user to download and execute a secondary payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • /Launch action target: "cmd.exe" critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://127.0.0.1/calc1.exe

Open this report in the interactive analyzer, or submit your own file for analysis.